package sun.security.pkcs11;

import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.InvalidParameterException;
import java.security.ProviderException;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import javax.crypto.KeyGeneratorSpi;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import sun.security.internal.spec.TlsKeyMaterialParameterSpec;
import sun.security.internal.spec.TlsKeyMaterialSpec;
import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
import sun.security.pkcs11.wrapper.CK_MECHANISM;
import sun.security.pkcs11.wrapper.CK_SSL3_KEY_MAT_OUT;
import sun.security.pkcs11.wrapper.CK_SSL3_KEY_MAT_PARAMS;
import sun.security.pkcs11.wrapper.CK_SSL3_RANDOM_DATA;
import sun.security.pkcs11.wrapper.PKCS11Exception;

/* loaded from: input_file:Contents/Home/lib/ext/sunpkcs11.jar:sun/security/pkcs11/P11TlsKeyMaterialGenerator.class */
public final class P11TlsKeyMaterialGenerator extends KeyGeneratorSpi {
    private static final String MSG = "TlsKeyMaterialGenerator must be initialized using a TlsKeyMaterialParameterSpec";
    private final Token token;
    private final String algorithm;
    private long mechanism;
    private TlsKeyMaterialParameterSpec spec;
    private P11Key p11Key;
    private int version;

    /* JADX INFO: Access modifiers changed from: package-private */
    public P11TlsKeyMaterialGenerator(Token token, String str, long j) throws PKCS11Exception {
        this.token = token;
        this.algorithm = str;
        this.mechanism = j;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // javax.crypto.KeyGeneratorSpi
    public void engineInit(SecureRandom secureRandom) {
        throw new InvalidParameterException(MSG);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // javax.crypto.KeyGeneratorSpi
    public void engineInit(AlgorithmParameterSpec algorithmParameterSpec, SecureRandom secureRandom) throws InvalidAlgorithmParameterException {
        if (!(algorithmParameterSpec instanceof TlsKeyMaterialParameterSpec)) {
            throw new InvalidAlgorithmParameterException(MSG);
        }
        this.spec = (TlsKeyMaterialParameterSpec) algorithmParameterSpec;
        try {
            this.p11Key = P11SecretKeyFactory.convertKey(this.token, this.spec.getMasterSecret(), "TlsMasterSecret");
            this.version = (this.spec.getMajorVersion() << 8) | this.spec.getMinorVersion();
            if (this.version < 768 && this.version > 770) {
                throw new InvalidAlgorithmParameterException("Only SSL 3.0, TLS 1.0, and TLS 1.1 are supported");
            }
        } catch (InvalidKeyException e) {
            throw new InvalidAlgorithmParameterException("init() failed", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // javax.crypto.KeyGeneratorSpi
    public void engineInit(int i, SecureRandom secureRandom) {
        throw new InvalidParameterException(MSG);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // javax.crypto.KeyGeneratorSpi
    public SecretKey engineGenerateKey() {
        boolean z;
        SecretKey secretKey;
        SecretKey secretKey2;
        SecretKey secretKey3;
        SecretKey secretKey4;
        if (this.spec == null) {
            throw new IllegalStateException("TlsKeyMaterialGenerator must be initialized");
        }
        this.mechanism = this.version == 768 ? 882L : 886L;
        int macKeyLength = this.spec.getMacKeyLength() << 3;
        int ivLength = this.spec.getIvLength() << 3;
        int expandedCipherKeyLength = this.spec.getExpandedCipherKeyLength() << 3;
        int cipherKeyLength = this.spec.getCipherKeyLength() << 3;
        if (expandedCipherKeyLength != 0) {
            z = true;
        } else {
            z = false;
            expandedCipherKeyLength = cipherKeyLength;
        }
        CK_SSL3_KEY_MAT_PARAMS ck_ssl3_key_mat_params = new CK_SSL3_KEY_MAT_PARAMS(macKeyLength, cipherKeyLength, ivLength, z, new CK_SSL3_RANDOM_DATA(this.spec.getClientRandom(), this.spec.getServerRandom()));
        String cipherAlgorithm = this.spec.getCipherAlgorithm();
        long keyType = P11SecretKeyFactory.getKeyType(cipherAlgorithm);
        if (keyType < 0) {
            if (cipherKeyLength != 0) {
                throw new ProviderException("Unknown algorithm: " + this.spec.getCipherAlgorithm());
            }
            keyType = 16;
        }
        Session session = null;
        try {
            try {
                session = this.token.getObjSession();
                CK_ATTRIBUTE[] attributes = this.token.getAttributes("generate", 4L, keyType, cipherKeyLength != 0 ? new CK_ATTRIBUTE[]{new CK_ATTRIBUTE(0L, 4L), new CK_ATTRIBUTE(256L, keyType), new CK_ATTRIBUTE(353L, expandedCipherKeyLength >> 3)} : new CK_ATTRIBUTE[0]);
                this.token.p11.C_DeriveKey(session.id(), new CK_MECHANISM(this.mechanism, ck_ssl3_key_mat_params), this.p11Key.keyID, attributes);
                CK_SSL3_KEY_MAT_OUT ck_ssl3_key_mat_out = ck_ssl3_key_mat_params.pReturnedKeyMaterial;
                if (macKeyLength != 0) {
                    secretKey = P11Key.secretKey(session, ck_ssl3_key_mat_out.hClientMacSecret, "MAC", macKeyLength, attributes);
                    secretKey2 = P11Key.secretKey(session, ck_ssl3_key_mat_out.hServerMacSecret, "MAC", macKeyLength, attributes);
                } else {
                    secretKey = null;
                    secretKey2 = null;
                }
                if (cipherKeyLength != 0) {
                    secretKey3 = P11Key.secretKey(session, ck_ssl3_key_mat_out.hClientKey, cipherAlgorithm, expandedCipherKeyLength, attributes);
                    secretKey4 = P11Key.secretKey(session, ck_ssl3_key_mat_out.hServerKey, cipherAlgorithm, expandedCipherKeyLength, attributes);
                } else {
                    secretKey3 = null;
                    secretKey4 = null;
                }
                TlsKeyMaterialSpec tlsKeyMaterialSpec = new TlsKeyMaterialSpec(secretKey, secretKey2, secretKey3, ck_ssl3_key_mat_out.pIVClient == null ? null : new IvParameterSpec(ck_ssl3_key_mat_out.pIVClient), secretKey4, ck_ssl3_key_mat_out.pIVServer == null ? null : new IvParameterSpec(ck_ssl3_key_mat_out.pIVServer));
                this.token.releaseSession(session);
                return tlsKeyMaterialSpec;
            } catch (Exception e) {
                throw new ProviderException("Could not generate key", e);
            }
        } catch (Throwable th) {
            this.token.releaseSession(session);
            throw th;
        }
    }
}
