package iaik.security.rsa;

import iaik.asn1.structures.AlgorithmID;
import iaik.pkcs.pkcs1.MGF1;
import iaik.pkcs.pkcs1.MaskGenerationAlgorithm;
import iaik.pkcs.pkcs1.RSAPssParameterSpec;
import iaik.security.md.SHA;
import iaik.utils.CryptoUtils;
import iaik.utils.Util;
import java.security.AlgorithmParameters;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.InvalidParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.SignatureException;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.InvalidParameterSpecException;

/* loaded from: input_file:iaik/security/rsa/RSAPssSignature.class */
public class RSAPssSignature extends a {
    private RSAPssParameterSpec h;
    private RSAPssParameterSpec g;
    private byte b;
    byte[] c;
    int d;
    MaskGenerationAlgorithm f;
    AlgorithmID e;
    private static boolean a;
    static final int j = 1;
    private static final byte i = -68;
    private static final String k = "NoPadding";
    static final String l = "RSASSA-PSS";

    public static void setValidateAgainstPssKeyParameters(boolean z) {
        a = z;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void d() {
        super.d = (AlgorithmID) AlgorithmID.sha1.clone();
        this.e = (AlgorithmID) AlgorithmID.mgf1.clone();
        this.e.setParameter(super.d.toASN1Object());
        this.hash = new SHA();
        this.f = new MGF1(super.d, this.hash);
        this.d = 20;
        this.b = (byte) -68;
    }

    @Override // java.security.SignatureSpi
    protected boolean engineVerify(byte[] bArr) throws SignatureException {
        if (this.hash == null) {
            throw new NullPointerException("Cannot verify signature. Digest engine must not be null!");
        }
        if (this.f == null) {
            throw new NullPointerException("Cannot verify signature. MGF engine must not be null!");
        }
        int a2 = a();
        int i2 = (a2 + 7) / 8;
        int i3 = a2 - 1;
        if (bArr.length != i2) {
            throw new SignatureException(new StringBuffer("Invalid signature (length is not k (").append(i2).append(") octets!").toString());
        }
        try {
            byte[] a3 = a(bArr);
            int i4 = (i3 + 7) / 8;
            if (i4 < a3.length) {
                if ((a2 - 1) % 8 != 0 || i4 != a3.length - 1) {
                    CryptoUtils.zeroBlock(a3);
                    throw new SignatureException("Invalid signature. Decrypted message too long");
                }
                byte[] bArr2 = new byte[i4];
                System.arraycopy(a3, a3.length - i4, bArr2, 0, i4);
                CryptoUtils.zeroBlock(a3);
                a3 = bArr2;
            }
            byte[] b = b();
            int length = b.length;
            if (this.d < 0) {
                this.d = 20;
            }
            if (i4 < length + this.d + 2) {
                CryptoUtils.zeroBlock(a3);
                throw new SignatureException(new StringBuffer("Inconsitent length: emLen (").append(i4).append(") shorter than hashLen + saltLen + 2!").toString());
            }
            if (a3[a3.length - 1] != this.b) {
                CryptoUtils.zeroBlock(a3);
                throw new SignatureException("Invalid signature. Inconsistent trailer field.");
            }
            if ((a3[0] & (65280 >> ((8 * i4) - i3)) & 255) != 0) {
                CryptoUtils.zeroBlock(a3);
                throw new SignatureException("Invalid signature. Leftmost 8emLen - emBits not all zero.");
            }
            int i5 = (i4 - length) - 1;
            this.f.mask(a3, i5, length, i5, a3, 0);
            a3[0] = (byte) (a3[0] & (255 >> ((8 * i4) - i3)));
            int i6 = ((i4 - length) - this.d) - 2;
            for (int i7 = 0; i7 < i6; i7++) {
                if (a3[i7] != 0) {
                    CryptoUtils.zeroBlock(a3);
                    throw new SignatureException("Invalid signature. Not all leftmost octets of DB are zero");
                }
            }
            if (a3[i6] != 1) {
                CryptoUtils.zeroBlock(a3);
                throw new SignatureException("Invalid signature. Missing 0x01 octet");
            }
            byte[] bArr3 = new byte[8 + length + this.d];
            System.arraycopy(b, 0, bArr3, 8, length);
            if (this.d > 0) {
                System.arraycopy(a3, ((i4 - length) - this.d) - 1, bArr3, 8 + length, this.d);
            }
            boolean equalsBlock = CryptoUtils.equalsBlock(this.hash.digest(bArr3), 0, a3, i5, length);
            CryptoUtils.zeroBlock(a3);
            CryptoUtils.zeroBlock(bArr3);
            return equalsBlock;
        } catch (Exception e) {
            throw new SignatureException(new StringBuffer("Signature decryption error: ").append(e.toString()).toString());
        }
    }

    @Override // java.security.SignatureSpi
    protected byte[] engineSign() throws SignatureException {
        if (this.hash == null) {
            throw new NullPointerException("Cannot calculate signature. Digest engine must not be null!");
        }
        if (this.f == null) {
            throw new NullPointerException("Cannot calculate signature. MGF engine must not be null!");
        }
        int a2 = a();
        int i2 = a2 - 1;
        int i3 = (i2 + 7) / 8;
        byte[] bArr = new byte[i3];
        byte[] b = b();
        int length = b.length;
        if (this.d < 0) {
            this.d = 20;
        }
        if (i3 < length + this.d + 2) {
            throw new SignatureException(new StringBuffer("Encoding error: emLen (").append(i3).append(") shorter than hashLen + saltLen + 2!").toString());
        }
        byte[] bArr2 = this.c;
        byte[] bArr3 = new byte[8 + length + this.d];
        System.arraycopy(b, 0, bArr3, 8, length);
        if (this.d > 0) {
            if (bArr2 == null) {
                SecureRandom c = c();
                if (c == null) {
                    throw new NullPointerException("Cannot calculate signature. No SecureRandom available!");
                }
                bArr2 = new byte[this.d];
                c.nextBytes(bArr2);
            }
            System.arraycopy(bArr2, 0, bArr3, 8 + length, this.d);
        }
        byte[] digest = this.hash.digest(bArr3);
        int i4 = (i3 - length) - 1;
        bArr[(i4 - this.d) - 1] = 1;
        if (this.d > 0) {
            System.arraycopy(bArr2, 0, bArr, i4 - this.d, this.d);
        }
        this.f.mask(digest, 0, digest.length, i4, bArr, 0);
        bArr[0] = (byte) (bArr[0] & (255 >> ((8 * i3) - i2)));
        System.arraycopy(digest, 0, bArr, i4, length);
        bArr[i3 - 1] = this.b;
        try {
            byte[] a3 = a(bArr);
            int i5 = (a2 + 7) / 8;
            if (a3.length < i5) {
                byte[] bArr4 = new byte[i5];
                System.arraycopy(a3, 0, bArr4, i5 - a3.length, a3.length);
                CryptoUtils.zeroBlock(a3);
                a3 = bArr4;
            }
            return a3;
        } catch (Exception e) {
            throw new SignatureException(new StringBuffer("Signing error: ").append(e.toString()).toString());
        }
    }

    @Override // iaik.security.rsa.a, java.security.SignatureSpi
    protected void engineSetParameter(AlgorithmParameterSpec algorithmParameterSpec) throws InvalidAlgorithmParameterException {
        if (algorithmParameterSpec == null) {
            this.h = null;
            d();
            return;
        }
        if (!(algorithmParameterSpec instanceof RSAPssParameterSpec)) {
            throw new InvalidAlgorithmParameterException("Params must be a RSAPssParameterSpec!");
        }
        RSAPssParameterSpec rSAPssParameterSpec = (RSAPssParameterSpec) algorithmParameterSpec;
        int trailerField = rSAPssParameterSpec.getTrailerField();
        if (trailerField != 1) {
            throw new InvalidAlgorithmParameterException(new StringBuffer("Trailer field number ").append(trailerField).append(" not supported by RSASSA-PSS. Expected ").append(1).append("!").toString());
        }
        if (this.g != null && a) {
            try {
                if (!RSAPssPublicKey.a(this.g, rSAPssParameterSpec)) {
                    throw new InvalidAlgorithmParameterException("Parameters are not valid for PSS-Key used with this engine!");
                }
            } catch (InvalidParameterSpecException unused) {
            }
        }
        super.d = rSAPssParameterSpec.getHashAlgorithm();
        try {
            this.hash = rSAPssParameterSpec.getHashEngine();
            this.e = rSAPssParameterSpec.getMaskGenAlgorithm();
            try {
                this.f = rSAPssParameterSpec.getMGFEngine();
                this.d = rSAPssParameterSpec.getSaltLength();
                if (this.d < 0) {
                    throw new InvalidAlgorithmParameterException("Cannot set saltLength parameter; must not be negative.");
                }
                this.c = rSAPssParameterSpec.getSalt();
                SecureRandom secureRandom = rSAPssParameterSpec.getSecureRandom();
                if (secureRandom != null) {
                    a(secureRandom);
                }
                this.h = (RSAPssParameterSpec) rSAPssParameterSpec.clone();
            } catch (NoSuchAlgorithmException e) {
                throw new InvalidAlgorithmParameterException(new StringBuffer("Cannot set mask generation algorithm parameter; no mgf engine available: ").append(e.getMessage()).toString());
            }
        } catch (NoSuchAlgorithmException e2) {
            throw new InvalidAlgorithmParameterException(new StringBuffer("Cannot set hash algorithm parameter; no hash engine available: ").append(e2.getMessage()).toString());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // iaik.security.rsa.a, java.security.SignatureSpi
    public void engineInitVerify(PublicKey publicKey) throws InvalidKeyException {
        RSAPublicKey rSAPublicKey = Util.getRSAPublicKey(publicKey);
        if (rSAPublicKey instanceof RSAPssPublicKey) {
            try {
                AlgorithmParameterSpec params = ((RSAPssPublicKey) rSAPublicKey).getParams();
                if (params != null) {
                    if (this.h == null) {
                        engineSetParameter(params);
                    } else if (a) {
                        try {
                            if (!RSAPssPublicKey.a((RSAPssParameterSpec) params, this.h)) {
                                throw new InvalidKeyException("Application set parameters are not valid for PSS-Key used with this engine!");
                            }
                        } catch (InvalidParameterSpecException unused) {
                        }
                    }
                    this.g = (RSAPssParameterSpec) ((RSAPssParameterSpec) params).clone();
                }
            } catch (InvalidKeyException e) {
                throw e;
            } catch (Exception e2) {
                throw new InvalidKeyException(new StringBuffer("RSA-PSS key contains invalid parameters: ").append(e2.toString()).toString());
            }
        }
        super.engineInitVerify(rSAPublicKey);
        if (this.f != null) {
            this.f.reset();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // iaik.security.rsa.a, java.security.SignatureSpi
    public void engineInitSign(PrivateKey privateKey) throws InvalidKeyException {
        RSAPrivateKey rSAPrivateKey = Util.getRSAPrivateKey(privateKey);
        if (rSAPrivateKey instanceof RSAPssPrivateKey) {
            try {
                AlgorithmParameterSpec params = ((RSAPssPrivateKey) rSAPrivateKey).getParams();
                if (params != null) {
                    if (this.h == null) {
                        engineSetParameter(params);
                    } else if (a) {
                        try {
                            if (!RSAPssPublicKey.a((RSAPssParameterSpec) params, this.h)) {
                                throw new InvalidKeyException("Application set parameters are not valid for PSS-Key used with this engine!");
                            }
                        } catch (InvalidParameterSpecException unused) {
                        }
                    }
                    this.g = (RSAPssParameterSpec) ((RSAPssParameterSpec) params).clone();
                }
            } catch (InvalidKeyException e) {
                throw e;
            } catch (Exception e2) {
                throw new InvalidKeyException(new StringBuffer("RSA-PSS key contains invalid parameters: ").append(e2.toString()).toString());
            }
        }
        super.engineInitSign(rSAPrivateKey);
        if (this.f != null) {
            this.f.reset();
        }
    }

    @Override // java.security.SignatureSpi
    protected AlgorithmParameters engineGetParameters() {
        AlgorithmParameters algorithmParameters = null;
        if (super.d != null && this.e != null) {
            try {
                RSAPssParameterSpec rSAPssParameterSpec = new RSAPssParameterSpec(super.d, this.e, this.d);
                algorithmParameters = AlgorithmParameters.getInstance(l, "IAIK");
                algorithmParameters.init(rSAPssParameterSpec);
                return algorithmParameters;
            } catch (Exception unused) {
            }
        }
        return algorithmParameters;
    }

    @Override // iaik.security.rsa.a, java.security.SignatureSpi
    protected Object engineGetParameter(String str) throws InvalidParameterException {
        return engineGetParameters();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public RSAPssSignature(String str) {
        super(str, k);
        this.b = (byte) -68;
    }

    public RSAPssSignature() {
        this(l);
        d();
    }
}
