package cn.com.bouncycastle.tls.crypto.impl.bc;

import cn.com.bouncycastle.crypto.engines.SM2Engine;
import cn.com.bouncycastle.crypto.params.AsymmetricKeyParameter;
import cn.com.bouncycastle.crypto.params.ECKeyParameters;
import cn.com.bouncycastle.crypto.params.ECPrivateKeyParameters;
import cn.com.bouncycastle.tls.Certificate;
import cn.com.bouncycastle.tls.ProtocolVersion;
import cn.com.bouncycastle.tls.SignatureAndHashAlgorithm;
import cn.com.bouncycastle.tls.TlsCredentialedDecryptor;
import cn.com.bouncycastle.tls.TlsCredentialedSigner;
import cn.com.bouncycastle.tls.crypto.TlsCryptoParameters;
import cn.com.bouncycastle.tls.crypto.TlsSecret;
import cn.com.bouncycastle.tls.crypto.TlsSigner;
import cn.com.bouncycastle.tls.crypto.TlsStreamSigner;
import cn.com.bouncycastle.tls.crypto.impl.TlsImplUtils;
import cn.com.bouncycastle.util.Arrays;
import com.tendcloud.tenddata.au;
import java.io.IOException;
import java.security.SecureRandom;

/* loaded from: classes.dex */
public class BcSM2TlsCredentialedSignerAndDecryptor implements TlsCredentialedDecryptor, TlsCredentialedSigner {
    protected Certificate certificate;
    protected BcTlsCrypto crypto;
    protected TlsCryptoParameters cryptoParams;
    protected AsymmetricKeyParameter encPrivateKey;
    protected AsymmetricKeyParameter signPrivateKey;
    protected SignatureAndHashAlgorithm signatureAndHashAlgorithm;
    protected TlsSigner signer;

    public BcSM2TlsCredentialedSignerAndDecryptor(BcTlsCrypto bcTlsCrypto, TlsCryptoParameters tlsCryptoParameters, Certificate certificate, AsymmetricKeyParameter asymmetricKeyParameter, AsymmetricKeyParameter asymmetricKeyParameter2, SignatureAndHashAlgorithm signatureAndHashAlgorithm) {
        if (bcTlsCrypto == null) {
            throw new IllegalArgumentException("'crypto' cannot be null");
        }
        if (certificate == null) {
            throw new IllegalArgumentException("'certificate' cannot be null");
        }
        if (certificate.isEmpty()) {
            throw new IllegalArgumentException("'certificate' cannot be empty");
        }
        if (asymmetricKeyParameter == null) {
            throw new IllegalArgumentException("'signPrivateKey' cannot be null");
        }
        if (!asymmetricKeyParameter.isPrivate()) {
            throw new IllegalArgumentException("'signPrivateKey' must be private");
        }
        if (asymmetricKeyParameter2 == null) {
            throw new IllegalArgumentException("'encPrivateKey' cannot be null");
        }
        if (!asymmetricKeyParameter2.isPrivate()) {
            throw new IllegalArgumentException("'encPrivateKey' must be private");
        }
        if (!(asymmetricKeyParameter instanceof ECKeyParameters) || !(asymmetricKeyParameter2 instanceof ECKeyParameters)) {
            throw new IllegalArgumentException("'privateKey' type not supported: " + asymmetricKeyParameter.getClass().getName());
        }
        this.crypto = bcTlsCrypto;
        this.cryptoParams = tlsCryptoParameters;
        this.certificate = certificate;
        this.signPrivateKey = asymmetricKeyParameter;
        this.encPrivateKey = asymmetricKeyParameter2;
        this.signatureAndHashAlgorithm = signatureAndHashAlgorithm;
        this.signer = new BcTlsSM2Signer(bcTlsCrypto, (ECPrivateKeyParameters) asymmetricKeyParameter, "1234567812345678".getBytes());
    }

    @Override // cn.com.bouncycastle.tls.TlsCredentialedDecryptor
    public TlsSecret decrypt(TlsCryptoParameters tlsCryptoParameters, byte[] bArr) throws IOException {
        return safeDecryptPreMasterSecret(tlsCryptoParameters, (ECKeyParameters) this.encPrivateKey, bArr);
    }

    @Override // cn.com.bouncycastle.tls.TlsCredentialedSigner
    public byte[] generateRawSignature(byte[] bArr) throws IOException {
        return this.signer.generateRawSignature(getEffectiveAlgorithm(), bArr);
    }

    @Override // cn.com.bouncycastle.tls.TlsCredentials
    public Certificate getCertificate() {
        return this.certificate;
    }

    protected SignatureAndHashAlgorithm getEffectiveAlgorithm() {
        if (!TlsImplUtils.isTLSv12(this.cryptoParams)) {
            return null;
        }
        SignatureAndHashAlgorithm signatureAndHashAlgorithm = getSignatureAndHashAlgorithm();
        if (signatureAndHashAlgorithm != null) {
            return signatureAndHashAlgorithm;
        }
        throw new IllegalStateException("'signatureAndHashAlgorithm' cannot be null for (D)TLS 1.2+");
    }

    public AsymmetricKeyParameter getEncPrivateKey() {
        return this.encPrivateKey;
    }

    public AsymmetricKeyParameter getSignPrivateKey() {
        return this.signPrivateKey;
    }

    @Override // cn.com.bouncycastle.tls.TlsCredentialedSigner
    public SignatureAndHashAlgorithm getSignatureAndHashAlgorithm() {
        return this.signatureAndHashAlgorithm;
    }

    @Override // cn.com.bouncycastle.tls.TlsCredentialedSigner
    public TlsStreamSigner getStreamSigner() throws IOException {
        if (TlsImplUtils.isGMTLSv11(this.cryptoParams)) {
            return null;
        }
        return this.signer.getStreamSigner(getEffectiveAlgorithm());
    }

    protected TlsSecret safeDecryptPreMasterSecret(TlsCryptoParameters tlsCryptoParameters, ECKeyParameters eCKeyParameters, byte[] bArr) {
        SecureRandom secureRandom = this.crypto.getSecureRandom();
        ProtocolVersion clientVersion = tlsCryptoParameters.getClientVersion();
        byte[] bArr2 = new byte[48];
        secureRandom.nextBytes(bArr2);
        byte[] clone = Arrays.clone(bArr2);
        try {
            SM2Engine sM2Engine = new SM2Engine();
            sM2Engine.init(false, eCKeyParameters);
            clone = sM2Engine.processBlock(bArr, 0, bArr.length);
        } catch (Exception e) {
            e.printStackTrace();
        }
        int minorVersion = (clientVersion.getMinorVersion() ^ (clone[1] & au.i)) | (clientVersion.getMajorVersion() ^ (clone[0] & au.i));
        int i = minorVersion | (minorVersion >> 1);
        int i2 = i | (i >> 2);
        int i3 = ~(((i2 | (i2 >> 4)) & 1) - 1);
        for (int i4 = 0; i4 < 48; i4++) {
            clone[i4] = (byte) ((clone[i4] & (~i3)) | (bArr2[i4] & i3));
        }
        return this.crypto.createSecret(clone);
    }
}
