package com.dyadicsec.provider;

import com.dyadicsec.pkcs11.CKException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.ProviderException;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.ECPoint;
import javax.crypto.KeyAgreementSpi;
import javax.crypto.ShortBufferException;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:ekm-java-provider-2.0.jar:com/dyadicsec/provider/ECDHKeyAgreement.class */
public class ECDHKeyAgreement extends KeyAgreementSpi {
    private ECPrivateKey prvKey = null;
    private ECPoint pub = null;

    @Override // javax.crypto.KeyAgreementSpi
    protected void engineInit(Key key, SecureRandom secureRandom) throws InvalidKeyException {
        if (!(key instanceof ECPrivateKey)) {
            throw new InvalidKeyException("CKKey must be instance of CKECPrivateKey");
        }
        this.prvKey = (ECPrivateKey) key;
        try {
            this.prvKey.save();
        } catch (KeyStoreException e) {
            throw new InvalidKeyException(e);
        }
    }

    @Override // javax.crypto.KeyAgreementSpi
    protected void engineInit(Key key, AlgorithmParameterSpec algorithmParameterSpec, SecureRandom secureRandom) throws InvalidKeyException, InvalidAlgorithmParameterException {
        if (algorithmParameterSpec != null) {
            throw new InvalidAlgorithmParameterException("Parameters not supported");
        }
        if (!(key instanceof ECPrivateKey)) {
            throw new InvalidKeyException("CKKey must be instance of CKECPrivateKey");
        }
        this.prvKey = (ECPrivateKey) key;
        try {
            this.prvKey.save();
        } catch (KeyStoreException e) {
            throw new InvalidKeyException(e);
        }
    }

    @Override // javax.crypto.KeyAgreementSpi
    protected Key engineDoPhase(Key key, boolean z) throws InvalidKeyException, IllegalStateException {
        if (this.prvKey == null) {
            throw new IllegalStateException("Not initialized");
        }
        if (!z) {
            throw new IllegalStateException("Only two party agreement supported, lastPhase must be true");
        }
        if (this.pub != null) {
            throw new IllegalStateException("Phase already executed");
        }
        if (!(key instanceof java.security.interfaces.ECPublicKey)) {
            throw new InvalidKeyException("CKKey must be a CKPublicKey with algorithm EC");
        }
        java.security.interfaces.ECPublicKey eCPublicKey = (java.security.interfaces.ECPublicKey) key;
        if (!eCPublicKey.getParams().equals(this.prvKey.getParams()) && !eCPublicKey.getParams().getOrder().equals(this.prvKey.getParams().getOrder())) {
            throw new InvalidKeyException("EC curve doesn't match");
        }
        this.pub = eCPublicKey.getW();
        return null;
    }

    @Override // javax.crypto.KeyAgreementSpi
    protected byte[] engineGenerateSecret() throws IllegalStateException {
        if (this.prvKey == null || this.pub == null) {
            throw new IllegalStateException("Not initialized correctly");
        }
        try {
            return this.prvKey.pkcs11Key.ecdh(this.pub);
        } catch (CKException e) {
            throw new ProviderException(e);
        }
    }

    @Override // javax.crypto.KeyAgreementSpi
    protected int engineGenerateSecret(byte[] bArr, int i) throws IllegalStateException, ShortBufferException {
        int size = this.prvKey.curve.getSize();
        if (i + size > bArr.length) {
            throw new ShortBufferException("Need " + size + " bytes, only " + (bArr.length - i) + " available");
        }
        byte[] engineGenerateSecret = engineGenerateSecret();
        System.arraycopy(engineGenerateSecret, 0, bArr, i, engineGenerateSecret.length);
        return engineGenerateSecret.length;
    }

    @Override // javax.crypto.KeyAgreementSpi
    protected javax.crypto.SecretKey engineGenerateSecret(String str) throws IllegalStateException, NoSuchAlgorithmException, InvalidKeyException {
        if (str == null) {
            throw new NoSuchAlgorithmException("Algorithm must not be null");
        }
        if (str.equals("TlsPremasterSecret")) {
            return new SecretKeySpec(engineGenerateSecret(), "TlsPremasterSecret");
        }
        throw new NoSuchAlgorithmException("Only supported for algorithm TlsPremasterSecret");
    }
}
