package com.ibm.crypto.pkcs11impl.provider;

import com.ibm.pkcs11.PKCS11Object;
import com.ibm.security.util.KeyUtil;
import java.math.BigInteger;
import java.security.AccessController;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction;
import java.security.Provider;
import java.security.spec.AlgorithmParameterSpec;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.KeyAgreementSpi;
import javax.crypto.SecretKey;
import javax.crypto.ShortBufferException;
import javax.crypto.interfaces.DHPrivateKey;
import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:com/ibm/crypto/pkcs11impl/provider/DHPKCS11KeyAgreement.class */
public final class DHPKCS11KeyAgreement extends KeyAgreementSpi {
    private SessionManager sessionManager;
    private Provider provider;
    private Config config;
    private BigInteger P;
    private BigInteger G;
    private BigInteger Y;
    private PKCS11Object p11ObjX;
    private int secretLen;

    /* loaded from: input_file:com/ibm/crypto/pkcs11impl/provider/DHPKCS11KeyAgreement$AllowKDF.class */
    private static class AllowKDF {
        private static final boolean VALUE = getValue();

        private AllowKDF() {
        }

        private static boolean getValue() {
            return ((Boolean) AccessController.doPrivileged(new PrivilegedAction<Boolean>() { // from class: com.ibm.crypto.pkcs11impl.provider.DHPKCS11KeyAgreement.AllowKDF.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public Boolean run() {
                    return Boolean.valueOf(Boolean.getBoolean("jdk.crypto.KeyAgreement.legacyKDF"));
                }
            })).booleanValue();
        }
    }

    public DHPKCS11KeyAgreement(Provider provider, String str) {
        this.sessionManager = null;
        this.provider = null;
        this.config = null;
        this.P = null;
        this.G = null;
        this.Y = null;
        this.p11ObjX = null;
        this.secretLen = 0;
        IBMPKCS11Impl.verifyJceJar();
        this.provider = provider;
        this.sessionManager = ((IBMPKCS11Impl) provider).getSessionManager();
        this.config = ((IBMPKCS11Impl) provider).getConfig();
    }

    public DHPKCS11KeyAgreement(Provider provider) {
        this(provider, null);
    }

    @Override // javax.crypto.KeyAgreementSpi
    protected void engineInit(Key key, java.security.SecureRandom secureRandom) throws InvalidKeyException {
        if (!(key instanceof DHPrivateKey)) {
            throw new InvalidKeyException("Only DH PrivateKeys expected.");
        }
        DHPKCS11PrivateKey dHPKCS11PrivateKey = (DHPKCS11PrivateKey) new DHPKCS11KeyFactory(this.provider).engineTranslateKey(key);
        this.p11ObjX = dHPKCS11PrivateKey.getObject();
        this.P = dHPKCS11PrivateKey.getParams().getP();
        this.G = dHPKCS11PrivateKey.getParams().getG();
    }

    @Override // javax.crypto.KeyAgreementSpi
    protected void engineInit(Key key, AlgorithmParameterSpec algorithmParameterSpec, java.security.SecureRandom secureRandom) throws InvalidKeyException, InvalidAlgorithmParameterException {
        if (algorithmParameterSpec != null) {
            throw new InvalidAlgorithmParameterException("Parameters not supported");
        }
        engineInit(key, secureRandom);
    }

    @Override // javax.crypto.KeyAgreementSpi
    protected Key engineDoPhase(Key key, boolean z) throws InvalidKeyException, IllegalStateException {
        if (!(key instanceof DHPublicKey)) {
            throw new InvalidKeyException("Diffie-Hellman public key expected");
        }
        KeyUtil.validate(key);
        DHPublicKey dHPublicKey = (DHPublicKey) key;
        if (this.P == null || this.G == null) {
            throw new IllegalStateException("Not initialized");
        }
        if (!z) {
        }
        BigInteger p = dHPublicKey.getParams().getP();
        BigInteger g = dHPublicKey.getParams().getG();
        if (p != null && !this.P.equals(p)) {
            throw new InvalidKeyException("Incompatible parameters");
        }
        if (g != null && !this.G.equals(g)) {
            throw new InvalidKeyException("Incompatible parameters");
        }
        this.Y = dHPublicKey.getY();
        this.secretLen = (this.P.bitLength() + 7) >> 3;
        return null;
    }

    @Override // javax.crypto.KeyAgreementSpi
    protected byte[] engineGenerateSecret() throws IllegalStateException {
        HashMap hashMap = new HashMap();
        hashMap.put(0, PKCS11Object.SECRET_KEY);
        hashMap.put(256, PKCS11Object.GENERIC_SECRET);
        hashMap.put(353, Integer.valueOf(this.secretLen));
        if (this.config != null) {
            hashMap.putAll(this.config.getAttributes("GENERATE", PKCS11Object.SECRET_KEY, PKCS11Object.GENERIC_SECRET));
        }
        int[] iArr = new int[hashMap.size()];
        Object[] objArr = new Object[hashMap.size()];
        int i = 0;
        for (Map.Entry entry : hashMap.entrySet()) {
            iArr[i] = ((Integer) entry.getKey()).intValue();
            int i2 = i;
            i++;
            objArr[i2] = entry.getValue();
        }
        Session opSession = this.sessionManager.getOpSession();
        try {
            PKCS11Object deriveKey = opSession.deriveKey(33, this.Y, this.p11ObjX, iArr, objArr);
            byte[] bArr = (byte[]) opSession.getAttrValue(deriveKey, 17);
            opSession.destroyObject(deriveKey);
            this.sessionManager.releaseSession(opSession);
            return bArr;
        } catch (Throwable th) {
            this.sessionManager.releaseSession(opSession);
            throw th;
        }
    }

    @Override // javax.crypto.KeyAgreementSpi
    protected int engineGenerateSecret(byte[] bArr, int i) throws IllegalStateException, ShortBufferException {
        if (bArr == null) {
            throw new ShortBufferException("No buffer provided for shared secret");
        }
        byte[] engineGenerateSecret = engineGenerateSecret();
        if ((engineGenerateSecret.length << 3) != this.P.bitLength()) {
            if (bArr.length - i < engineGenerateSecret.length - 1) {
                throw new ShortBufferException("Buffer too short for shared secret");
            }
            System.arraycopy(engineGenerateSecret, 1, bArr, i, engineGenerateSecret.length - 1);
            return engineGenerateSecret.length - 1;
        }
        if (bArr.length - i < engineGenerateSecret.length) {
            throw new ShortBufferException("Buffer too short to hold shared secret");
        }
        System.arraycopy(engineGenerateSecret, 0, bArr, i, engineGenerateSecret.length);
        return engineGenerateSecret.length;
    }

    @Override // javax.crypto.KeyAgreementSpi
    protected SecretKey engineGenerateSecret(String str) throws IllegalStateException, InvalidKeyException, NoSuchAlgorithmException {
        int length;
        if (str == null) {
            return null;
        }
        if (!str.equalsIgnoreCase("TlsPremasterSecret") && !AllowKDF.VALUE) {
            throw new NoSuchAlgorithmException("Unsupported secret key algorithm: " + str);
        }
        byte[] engineGenerateSecret = engineGenerateSecret();
        if (str.equalsIgnoreCase("DES")) {
            length = 8;
        } else if (str.equalsIgnoreCase("DESede")) {
            length = 24;
        } else if (str.equalsIgnoreCase("Blowfish")) {
            length = Math.min(56, engineGenerateSecret.length);
        } else if (str.equalsIgnoreCase("AES")) {
            length = engineGenerateSecret.length >= 32 ? 32 : 16;
        } else {
            if (!str.equalsIgnoreCase("TlsPremasterSecret")) {
                throw new NoSuchAlgorithmException("Unknown algorithm " + str);
            }
            engineGenerateSecret = KeyUtil.trimZeroes(engineGenerateSecret);
            length = engineGenerateSecret.length;
        }
        if (engineGenerateSecret.length < length) {
            throw new InvalidKeyException("Secret too short");
        }
        return new SecretKeySpec(engineGenerateSecret, 0, length, str);
    }
}
