package com.android.internal.net.ipsec.ike.message;

import android.net.ipsec.ike.IkeManager;
import android.net.ipsec.ike.exceptions.AuthenticationFailedException;
import android.net.ipsec.ike.exceptions.IkeProtocolException;
import android.net.ipsec.ike.exceptions.InvalidSyntaxException;
import android.util.ArraySet;
import com.android.internal.net.ipsec.ike.crypto.IkeMacPrf;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.nio.ByteBuffer;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;

/* loaded from: classes.dex */
public class IkeAuthDigitalSignPayload extends IkeAuthPayload {
    public static final short HASH_ALGORITHM_RSA_SHA1 = 1;
    public static final short HASH_ALGORITHM_RSA_SHA2_256 = 2;
    public static final short HASH_ALGORITHM_RSA_SHA2_384 = 3;
    public static final short HASH_ALGORITHM_RSA_SHA2_512 = 4;
    private static final String KEY_ALGO_NAME = "RSA";
    private static final byte SIGNATURE_ALGO_ASN1_BYTES_LEN = 15;
    private static final byte SIGNATURE_ALGO_ASN1_BYTES_LEN_LEN = 1;
    private static final int SIGNATURE_ALGO_ASN1_LEN_LEN = 1;
    public static final String SIGNATURE_ALGO_RSA_SHA1 = "SHA1withRSA";
    public static final String SIGNATURE_ALGO_RSA_SHA2_256 = "SHA256withRSA";
    public static final String SIGNATURE_ALGO_RSA_SHA2_384 = "SHA384withRSA";
    public static final String SIGNATURE_ALGO_RSA_SHA2_512 = "SHA512withRSA";
    public final byte[] signature;
    public final String signatureAndHashAlgos;
    private static final String TAG = IkeAuthDigitalSignPayload.class.getSimpleName();
    private static final byte[] PKI_ALGO_ID_DER_BYTES_RSA_SHA1 = {48, 13, 6, 9, 42, -122, 72, -122, -9, 13, 1, 1, 5, 5, 0};
    private static final byte[] PKI_ALGO_ID_DER_BYTES_RSA_SHA2_256 = {48, 13, 6, 9, 42, -122, 72, -122, -9, 13, 1, 1, 11, 5, 0};
    private static final byte[] PKI_ALGO_ID_DER_BYTES_RSA_SHA2_384 = {48, 13, 6, 9, 42, -122, 72, -122, -9, 13, 1, 1, 12, 5, 0};
    private static final byte[] PKI_ALGO_ID_DER_BYTES_RSA_SHA2_512 = {48, 13, 6, 9, 42, -122, 72, -122, -9, 13, 1, 1, 13, 5, 0};
    public static final short[] ALL_SIGNATURE_ALGO_TYPES = {1, 2, 3, 4};
    private static final Map<Short, String> SIGNATURE_ALGO_TYPE_TO_NAME = new HashMap();

    @Retention(RetentionPolicy.SOURCE)
    /* loaded from: classes.dex */
    @interface SignatureAlgo {
    }

    static {
        SIGNATURE_ALGO_TYPE_TO_NAME.put((short) 1, SIGNATURE_ALGO_RSA_SHA1);
        SIGNATURE_ALGO_TYPE_TO_NAME.put((short) 2, SIGNATURE_ALGO_RSA_SHA2_256);
        SIGNATURE_ALGO_TYPE_TO_NAME.put((short) 3, SIGNATURE_ALGO_RSA_SHA2_384);
        SIGNATURE_ALGO_TYPE_TO_NAME.put((short) 4, SIGNATURE_ALGO_RSA_SHA2_512);
    }

    public IkeAuthDigitalSignPayload(Set<Short> set, PrivateKey privateKey, byte[] bArr, byte[] bArr2, byte[] bArr3, IkeMacPrf ikeMacPrf, byte[] bArr4) {
        super(false, getAuthMethod(set));
        String str;
        byte[] signedOctets = getSignedOctets(bArr, bArr2, bArr3, ikeMacPrf, bArr4);
        switch (this.authMethod) {
            case 1:
                str = SIGNATURE_ALGO_RSA_SHA1;
                break;
            case 14:
                str = selectGenericSignAuthAlgo(set);
                break;
            default:
                throw new IllegalStateException("Invalid auth method: " + this.authMethod);
        }
        try {
            Signature signature = Signature.getInstance(str);
            signature.initSign(privateKey);
            signature.update(signedOctets);
            this.signature = signature.sign();
            this.signatureAndHashAlgos = str;
        } catch (InvalidKeyException | SignatureException e) {
            throw new IllegalArgumentException("Signature generation failed", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new ProviderException("Security Provider does not support RSA or " + str);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public IkeAuthDigitalSignPayload(boolean z, int i, byte[] bArr) throws IkeProtocolException {
        super(z, i);
        switch (i) {
            case 1:
                this.signatureAndHashAlgos = SIGNATURE_ALGO_RSA_SHA1;
                this.signature = bArr;
                return;
            case 14:
                ByteBuffer wrap = ByteBuffer.wrap(bArr);
                int unsignedInt = Byte.toUnsignedInt(wrap.get());
                byte[] bArr2 = new byte[unsignedInt];
                wrap.get(bArr2);
                this.signatureAndHashAlgos = bytesToJavaStandardSignAlgoName(bArr2);
                this.signature = new byte[(bArr.length - 1) - unsignedInt];
                wrap.get(this.signature);
                return;
            default:
                throw new IllegalArgumentException("Unrecognized authentication method.");
        }
    }

    private String bytesToJavaStandardSignAlgoName(byte[] bArr) throws AuthenticationFailedException {
        if (Arrays.equals(PKI_ALGO_ID_DER_BYTES_RSA_SHA1, bArr)) {
            return SIGNATURE_ALGO_RSA_SHA1;
        }
        if (Arrays.equals(PKI_ALGO_ID_DER_BYTES_RSA_SHA2_256, bArr)) {
            return SIGNATURE_ALGO_RSA_SHA2_256;
        }
        if (Arrays.equals(PKI_ALGO_ID_DER_BYTES_RSA_SHA2_384, bArr)) {
            return SIGNATURE_ALGO_RSA_SHA2_384;
        }
        if (Arrays.equals(PKI_ALGO_ID_DER_BYTES_RSA_SHA2_512, bArr)) {
            return SIGNATURE_ALGO_RSA_SHA2_512;
        }
        throw new AuthenticationFailedException("Unrecognized ASN.1 objects for Signature algorithm and Hash");
    }

    private static int getAuthMethod(Set<Short> set) {
        return set.isEmpty() ? 1 : 14;
    }

    public static Set<Short> getSignatureHashAlgorithmsFromIkeNotifyPayload(IkeNotifyPayload ikeNotifyPayload) throws InvalidSyntaxException {
        if (ikeNotifyPayload.notifyType != 16431) {
            throw new IllegalArgumentException("Notify payload type must be SIGNATURE_HASH_ALGORITHMS");
        }
        if (ikeNotifyPayload.notifyData.length % 2 != 0) {
            throw new InvalidSyntaxException("Received notify(SIGNATURE_HASH_ALGORITHMS) with invalid notify data");
        }
        ArraySet arraySet = new ArraySet();
        ByteBuffer wrap = ByteBuffer.wrap(ikeNotifyPayload.notifyData);
        while (wrap.hasRemaining()) {
            short s = wrap.getShort();
            if (!SIGNATURE_ALGO_TYPE_TO_NAME.containsKey(Short.valueOf(s)) || !arraySet.add(Short.valueOf(s))) {
                IkeManager.getIkeLog().w(TAG, "Unexpected or repeated Signature Hash Algorithm: " + ((int) s));
            }
        }
        return arraySet;
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    private byte[] javaStandardSignAlgoNameToAsn1Bytes(String str) {
        char c;
        switch (str.hashCode()) {
            case -794853417:
                if (str.equals(SIGNATURE_ALGO_RSA_SHA2_384)) {
                    c = 2;
                    break;
                }
                c = 65535;
                break;
            case -754115883:
                if (str.equals(SIGNATURE_ALGO_RSA_SHA1)) {
                    c = 0;
                    break;
                }
                c = 65535;
                break;
            case -611254448:
                if (str.equals(SIGNATURE_ALGO_RSA_SHA2_512)) {
                    c = 3;
                    break;
                }
                c = 65535;
                break;
            case -280290445:
                if (str.equals(SIGNATURE_ALGO_RSA_SHA2_256)) {
                    c = 1;
                    break;
                }
                c = 65535;
                break;
            default:
                c = 65535;
                break;
        }
        switch (c) {
            case 0:
                return PKI_ALGO_ID_DER_BYTES_RSA_SHA1;
            case 1:
                return PKI_ALGO_ID_DER_BYTES_RSA_SHA2_256;
            case 2:
                return PKI_ALGO_ID_DER_BYTES_RSA_SHA2_384;
            case 3:
                return PKI_ALGO_ID_DER_BYTES_RSA_SHA2_512;
            default:
                throw new IllegalArgumentException("Impossible! We used an unsupported algo");
        }
    }

    static String selectGenericSignAuthAlgo(Set<Short> set) {
        ArrayList arrayList = new ArrayList(set);
        Collections.sort(arrayList);
        return SIGNATURE_ALGO_TYPE_TO_NAME.get(Short.valueOf(((Short) arrayList.get(arrayList.size() - 1)).shortValue()));
    }

    @Override // com.android.internal.net.ipsec.ike.message.IkeAuthPayload
    protected void encodeAuthDataToByteBuffer(ByteBuffer byteBuffer) {
        if (this.authMethod == 14) {
            byteBuffer.put(SIGNATURE_ALGO_ASN1_BYTES_LEN);
            byteBuffer.put(javaStandardSignAlgoNameToAsn1Bytes(this.signatureAndHashAlgos));
        }
        byteBuffer.put(this.signature);
    }

    @Override // com.android.internal.net.ipsec.ike.message.IkeAuthPayload
    protected int getAuthDataLength() {
        return this.authMethod == 14 ? this.signature.length + 16 : this.signature.length;
    }

    @Override // com.android.internal.net.ipsec.ike.message.IkePayload
    public String getTypeString() {
        switch (this.authMethod) {
            case 1:
                return "Auth(RSA Digital Sign)";
            case 14:
                return "Auth(Generic Digital Sign)";
            default:
                throw new IllegalArgumentException("Unrecognized authentication method.");
        }
    }

    public void verifyInboundSignature(X509Certificate x509Certificate, byte[] bArr, byte[] bArr2, byte[] bArr3, IkeMacPrf ikeMacPrf, byte[] bArr4) throws AuthenticationFailedException {
        byte[] signedOctets = getSignedOctets(bArr, bArr2, bArr3, ikeMacPrf, bArr4);
        try {
            Signature signature = Signature.getInstance(this.signatureAndHashAlgos);
            signature.initVerify(x509Certificate);
            signature.update(signedOctets);
            if (signature.verify(this.signature)) {
            } else {
                throw new AuthenticationFailedException("Signature verification failed.");
            }
        } catch (InvalidKeyException | SignatureException e) {
            throw new AuthenticationFailedException(e);
        } catch (NoSuchAlgorithmException e2) {
            throw new ProviderException("Security Provider does not support " + this.signatureAndHashAlgos);
        }
    }
}
