package org.bouncycastle.tls.crypto.impl.jcajce;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import javax.crypto.interfaces.DHPublicKey;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1Encoding;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.jcajce.spec.EdDSAParameterSpec;
import org.bouncycastle.jcajce.util.JcaJceHelper;
import org.bouncycastle.tls.SignatureScheme;
import org.bouncycastle.tls.TlsFatalAlert;
import org.bouncycastle.tls.TlsUtils;
import org.bouncycastle.tls.crypto.TlsCertificate;
import org.bouncycastle.tls.crypto.TlsCryptoException;
import org.bouncycastle.tls.crypto.TlsEncryptor;
import org.bouncycastle.tls.crypto.TlsVerifier;

/* loaded from: input_file:WEB-INF/lib/bctls-fips-1.0.13.jar:org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCertificate.class */
public class JcaTlsCertificate implements TlsCertificate {
    protected static final int KU_DIGITAL_SIGNATURE = 0;
    protected static final int KU_NON_REPUDIATION = 1;
    protected static final int KU_KEY_ENCIPHERMENT = 2;
    protected static final int KU_DATA_ENCIPHERMENT = 3;
    protected static final int KU_KEY_AGREEMENT = 4;
    protected static final int KU_KEY_CERT_SIGN = 5;
    protected static final int KU_CRL_SIGN = 6;
    protected static final int KU_ENCIPHER_ONLY = 7;
    protected static final int KU_DECIPHER_ONLY = 8;
    protected final JcaTlsCrypto crypto;
    protected final X509Certificate certificate;
    protected DHPublicKey pubKeyDH;
    protected ECPublicKey pubKeyEC;
    protected PublicKey pubKeyRSA;

    public static JcaTlsCertificate convert(JcaTlsCrypto jcaTlsCrypto, TlsCertificate tlsCertificate) throws IOException {
        return tlsCertificate instanceof JcaTlsCertificate ? (JcaTlsCertificate) tlsCertificate : new JcaTlsCertificate(jcaTlsCrypto, tlsCertificate.getEncoded());
    }

    public static X509Certificate parseCertificate(JcaJceHelper jcaJceHelper, byte[] bArr) throws IOException {
        try {
            Certificate certificate = Certificate.getInstance(TlsUtils.readASN1Object(bArr));
            SubjectPublicKeyInfoChecker.checkInfo(certificate.getSubjectPublicKeyInfo());
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(certificate.getEncoded(ASN1Encoding.DER));
            X509Certificate x509Certificate = (X509Certificate) jcaJceHelper.createCertificateFactory("X.509").generateCertificate(byteArrayInputStream);
            if (byteArrayInputStream.available() != 0) {
                throw new IOException("Extra data detected in stream");
            }
            return x509Certificate;
        } catch (IllegalArgumentException e) {
            throw new TlsCryptoException("unable to decode certificate", e);
        } catch (GeneralSecurityException e2) {
            throw new TlsCryptoException("unable to decode certificate", e2);
        }
    }

    public JcaTlsCertificate(JcaTlsCrypto jcaTlsCrypto, byte[] bArr) throws IOException {
        this(jcaTlsCrypto, parseCertificate(jcaTlsCrypto.getHelper(), bArr));
    }

    public JcaTlsCertificate(JcaTlsCrypto jcaTlsCrypto, X509Certificate x509Certificate) {
        this.pubKeyDH = null;
        this.pubKeyEC = null;
        this.pubKeyRSA = null;
        this.crypto = jcaTlsCrypto;
        this.certificate = x509Certificate;
    }

    @Override // org.bouncycastle.tls.crypto.TlsCertificate
    public TlsEncryptor createEncryptor(int i) throws IOException {
        validateKeyUsageBit(2);
        switch (i) {
            case 3:
                this.pubKeyRSA = getPubKeyRSA();
                return new JcaTlsRSAEncryptor(this.crypto, this.pubKeyRSA);
            default:
                throw new TlsFatalAlert((short) 46);
        }
    }

    @Override // org.bouncycastle.tls.crypto.TlsCertificate
    public TlsVerifier createVerifier(short s) throws IOException {
        switch (s) {
            case 4:
            case 5:
            case 6:
            case 7:
            case 8:
            case 9:
            case 10:
            case 11:
                return createVerifier(SignatureScheme.from((short) 8, s));
            default:
                validateKeyUsageBit(0);
                switch (s) {
                    case 1:
                        validateRSA_PKCS1();
                        return new JcaTlsRSAVerifier(this.crypto, getPubKeyRSA());
                    case 2:
                        return new JcaTlsDSAVerifier(this.crypto, getPubKeyDSS());
                    case 3:
                        return new JcaTlsECDSAVerifier(this.crypto, getPubKeyEC());
                    default:
                        throw new TlsFatalAlert((short) 46);
                }
        }
    }

    @Override // org.bouncycastle.tls.crypto.TlsCertificate
    public TlsVerifier createVerifier(int i) throws IOException {
        validateKeyUsageBit(0);
        switch (i) {
            case SignatureScheme.rsa_pkcs1_sha1 /* 513 */:
            case SignatureScheme.rsa_pkcs1_sha256 /* 1025 */:
            case 1281:
            case SignatureScheme.rsa_pkcs1_sha512 /* 1537 */:
                validateRSA_PKCS1();
                return new JcaTlsRSAVerifier(this.crypto, getPubKeyRSA());
            case SignatureScheme.ecdsa_sha1 /* 515 */:
            case SignatureScheme.ecdsa_secp256r1_sha256 /* 1027 */:
            case 1283:
            case SignatureScheme.ecdsa_secp521r1_sha512 /* 1539 */:
            case SignatureScheme.ecdsa_brainpoolP256r1tls13_sha256 /* 2074 */:
            case SignatureScheme.ecdsa_brainpoolP384r1tls13_sha384 /* 2075 */:
            case SignatureScheme.ecdsa_brainpoolP512r1tls13_sha512 /* 2076 */:
                return new JcaTlsECDSA13Verifier(this.crypto, getPubKeyEC(), i);
            case SignatureScheme.rsa_pss_rsae_sha256 /* 2052 */:
            case SignatureScheme.rsa_pss_rsae_sha384 /* 2053 */:
            case SignatureScheme.rsa_pss_rsae_sha512 /* 2054 */:
                validateRSA_PSS_RSAE();
                return new JcaTlsRSAPSSVerifier(this.crypto, getPubKeyRSA(), i);
            case SignatureScheme.ed25519 /* 2055 */:
                return new JcaTlsEd25519Verifier(this.crypto, getPubKeyEd25519());
            case SignatureScheme.ed448 /* 2056 */:
                return new JcaTlsEd448Verifier(this.crypto, getPubKeyEd448());
            case SignatureScheme.rsa_pss_pss_sha256 /* 2057 */:
            case SignatureScheme.rsa_pss_pss_sha384 /* 2058 */:
            case SignatureScheme.rsa_pss_pss_sha512 /* 2059 */:
                validateRSA_PSS_PSS(SignatureScheme.getSignatureAlgorithm(i));
                return new JcaTlsRSAPSSVerifier(this.crypto, getPubKeyRSA(), i);
            default:
                throw new TlsFatalAlert((short) 46);
        }
    }

    @Override // org.bouncycastle.tls.crypto.TlsCertificate
    public byte[] getEncoded() throws IOException {
        try {
            return this.certificate.getEncoded();
        } catch (CertificateEncodingException e) {
            throw new TlsCryptoException("unable to encode certificate: " + e.getMessage(), e);
        }
    }

    @Override // org.bouncycastle.tls.crypto.TlsCertificate
    public byte[] getExtension(ASN1ObjectIdentifier aSN1ObjectIdentifier) throws IOException {
        byte[] extensionValue = this.certificate.getExtensionValue(aSN1ObjectIdentifier.getId());
        if (extensionValue == null) {
            return null;
        }
        return ((ASN1OctetString) ASN1Primitive.fromByteArray(extensionValue)).getOctets();
    }

    @Override // org.bouncycastle.tls.crypto.TlsCertificate
    public BigInteger getSerialNumber() {
        return this.certificate.getSerialNumber();
    }

    @Override // org.bouncycastle.tls.crypto.TlsCertificate
    public String getSigAlgOID() {
        return this.certificate.getSigAlgOID();
    }

    @Override // org.bouncycastle.tls.crypto.TlsCertificate
    public ASN1Encodable getSigAlgParams() throws IOException {
        byte[] sigAlgParams = this.certificate.getSigAlgParams();
        if (null == sigAlgParams) {
            return null;
        }
        ASN1Primitive readASN1Object = TlsUtils.readASN1Object(sigAlgParams);
        TlsUtils.requireDEREncoding(readASN1Object, sigAlgParams);
        return readASN1Object;
    }

    DHPublicKey getPubKeyDH() throws IOException {
        try {
            return (DHPublicKey) getPublicKey();
        } catch (ClassCastException e) {
            throw new TlsFatalAlert((short) 46, (Throwable) e);
        }
    }

    DSAPublicKey getPubKeyDSS() throws IOException {
        try {
            return (DSAPublicKey) getPublicKey();
        } catch (ClassCastException e) {
            throw new TlsFatalAlert((short) 46, (Throwable) e);
        }
    }

    ECPublicKey getPubKeyEC() throws IOException {
        try {
            return (ECPublicKey) getPublicKey();
        } catch (ClassCastException e) {
            throw new TlsFatalAlert((short) 46, (Throwable) e);
        }
    }

    PublicKey getPubKeyEd25519() throws IOException {
        PublicKey publicKey = getPublicKey();
        if (EdDSAParameterSpec.Ed25519.equals(publicKey.getAlgorithm())) {
            return publicKey;
        }
        throw new TlsFatalAlert((short) 46);
    }

    PublicKey getPubKeyEd448() throws IOException {
        PublicKey publicKey = getPublicKey();
        if (EdDSAParameterSpec.Ed448.equals(publicKey.getAlgorithm())) {
            return publicKey;
        }
        throw new TlsFatalAlert((short) 46);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PublicKey getPubKeyRSA() throws IOException {
        return getPublicKey();
    }

    @Override // org.bouncycastle.tls.crypto.TlsCertificate
    public short getLegacySignatureAlgorithm() throws IOException {
        PublicKey publicKey = getPublicKey();
        if (!supportsKeyUsageBit(0)) {
            return (short) -1;
        }
        if (publicKey instanceof RSAPublicKey) {
            return (short) 1;
        }
        if (publicKey instanceof DSAPublicKey) {
            return (short) 2;
        }
        return publicKey instanceof ECPublicKey ? (short) 3 : (short) -1;
    }

    @Override // org.bouncycastle.tls.crypto.TlsCertificate
    public boolean supportsSignatureAlgorithm(short s) throws IOException {
        if (supportsKeyUsageBit(0)) {
            return implSupportsSignatureAlgorithm(s);
        }
        return false;
    }

    @Override // org.bouncycastle.tls.crypto.TlsCertificate
    public boolean supportsSignatureAlgorithmCA(short s) throws IOException {
        return implSupportsSignatureAlgorithm(s);
    }

    @Override // org.bouncycastle.tls.crypto.TlsCertificate
    public TlsCertificate checkUsageInRole(int i) throws IOException {
        switch (i) {
            case 1:
                validateKeyUsageBit(4);
                this.pubKeyDH = getPubKeyDH();
                return this;
            case 2:
                validateKeyUsageBit(4);
                this.pubKeyEC = getPubKeyEC();
                return this;
            default:
                throw new TlsFatalAlert((short) 46);
        }
    }

    protected boolean implSupportsSignatureAlgorithm(short s) throws IOException {
        PublicKey publicKey = getPublicKey();
        switch (s) {
            case 1:
                return supportsRSA_PKCS1() && (publicKey instanceof RSAPublicKey);
            case 2:
                return publicKey instanceof DSAPublicKey;
            case 3:
            case 26:
            case 27:
            case 28:
                return publicKey instanceof ECPublicKey;
            case 4:
            case 5:
            case 6:
                return supportsRSA_PSS_RSAE() && (publicKey instanceof RSAPublicKey);
            case 7:
                return EdDSAParameterSpec.Ed25519.equals(publicKey.getAlgorithm());
            case 8:
                return EdDSAParameterSpec.Ed448.equals(publicKey.getAlgorithm());
            case 9:
            case 10:
            case 11:
                return supportsRSA_PSS_PSS(s) && (publicKey instanceof RSAPublicKey);
            case 12:
            case 13:
            case 14:
            case 15:
            case 16:
            case 17:
            case 18:
            case 19:
            case 20:
            case 21:
            case 22:
            case 23:
            case 24:
            case 25:
            default:
                return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public PublicKey getPublicKey() throws IOException {
        try {
            return this.certificate.getPublicKey();
        } catch (RuntimeException e) {
            throw new TlsFatalAlert((short) 42, (Throwable) e);
        }
    }

    protected SubjectPublicKeyInfo getSubjectPublicKeyInfo() throws IOException {
        return SubjectPublicKeyInfo.getInstance(getPublicKey().getEncoded());
    }

    public X509Certificate getX509Certificate() {
        return this.certificate;
    }

    protected boolean supportsKeyUsageBit(int i) {
        boolean[] keyUsage = this.certificate.getKeyUsage();
        return null == keyUsage || (keyUsage.length > i && keyUsage[i]);
    }

    protected boolean supportsRSA_PKCS1() throws IOException {
        return org.bouncycastle.tls.crypto.impl.RSAUtil.supportsPKCS1(getSubjectPublicKeyInfo().getAlgorithm());
    }

    protected boolean supportsRSA_PSS_PSS(short s) throws IOException {
        return org.bouncycastle.tls.crypto.impl.RSAUtil.supportsPSS_PSS(s, getSubjectPublicKeyInfo().getAlgorithm());
    }

    protected boolean supportsRSA_PSS_RSAE() throws IOException {
        return org.bouncycastle.tls.crypto.impl.RSAUtil.supportsPSS_RSAE(getSubjectPublicKeyInfo().getAlgorithm());
    }

    protected void validateKeyUsageBit(int i) throws IOException {
        if (!supportsKeyUsageBit(i)) {
            throw new TlsFatalAlert((short) 46);
        }
    }

    protected void validateRSA_PKCS1() throws IOException {
        if (!supportsRSA_PKCS1()) {
            throw new TlsFatalAlert((short) 46);
        }
    }

    protected void validateRSA_PSS_PSS(short s) throws IOException {
        if (!supportsRSA_PSS_PSS(s)) {
            throw new TlsFatalAlert((short) 46);
        }
    }

    protected void validateRSA_PSS_RSAE() throws IOException {
        if (!supportsRSA_PSS_RSAE()) {
            throw new TlsFatalAlert((short) 46);
        }
    }
}
