package net.jradius.tls;

import java.io.IOException;
import java.io.InputStream;
import org.opennms.shaded.org.bouncycastle.asn1.x509.KeyUsage;
import org.opennms.shaded.org.bouncycastle.asn1.x509.X509CertificateStructure;
import org.opennms.shaded.org.bouncycastle.asn1.x509.X509Extension;
import org.opennms.shaded.org.bouncycastle.asn1.x509.X509Extensions;
import org.opennms.shaded.org.bouncycastle.crypto.InvalidCipherTextException;
import org.opennms.shaded.org.bouncycastle.crypto.encodings.PKCS1Encoding;
import org.opennms.shaded.org.bouncycastle.crypto.engines.RSABlindedEngine;
import org.opennms.shaded.org.bouncycastle.crypto.params.AsymmetricKeyParameter;
import org.opennms.shaded.org.bouncycastle.crypto.params.ParametersWithRandom;
import org.opennms.shaded.org.bouncycastle.crypto.params.RSAKeyParameters;
import org.opennms.shaded.org.bouncycastle.crypto.util.PublicKeyFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:net/jradius/tls/TlsRSAKeyExchange.class */
public class TlsRSAKeyExchange implements TlsKeyExchange {
    private TlsProtocolHandler handler;
    private CertificateVerifyer verifyer;
    private AsymmetricKeyParameter serverPublicKey = null;
    private RSAKeyParameters rsaServerPublicKey = null;
    private byte[] premasterSecret;

    /* JADX INFO: Access modifiers changed from: package-private */
    public TlsRSAKeyExchange(TlsProtocolHandler tlsProtocolHandler, CertificateVerifyer certificateVerifyer) {
        this.handler = tlsProtocolHandler;
        this.verifyer = certificateVerifyer;
    }

    @Override // net.jradius.tls.TlsKeyExchange
    public void skipServerCertificate() throws IOException {
        this.handler.failWithError((short) 2, (short) 10);
    }

    @Override // net.jradius.tls.TlsKeyExchange
    public void processServerCertificate(Certificate certificate) throws IOException {
        X509CertificateStructure x509CertificateStructure = certificate.certs[0];
        try {
            this.serverPublicKey = PublicKeyFactory.createKey(x509CertificateStructure.getSubjectPublicKeyInfo());
        } catch (RuntimeException e) {
            this.handler.failWithError((short) 2, (short) 43);
        }
        if (this.serverPublicKey.isPrivate()) {
            this.handler.failWithError((short) 2, (short) 80);
        }
        if (!(this.serverPublicKey instanceof RSAKeyParameters)) {
            this.handler.failWithError((short) 2, (short) 46);
        }
        validateKeyUsage(x509CertificateStructure, 32);
        this.rsaServerPublicKey = validateRSAPublicKey((RSAKeyParameters) this.serverPublicKey);
        if (this.verifyer.isValid(certificate.getCerts())) {
            return;
        }
        this.handler.failWithError((short) 2, (short) 90);
    }

    @Override // net.jradius.tls.TlsKeyExchange
    public void skipServerKeyExchange() throws IOException {
    }

    @Override // net.jradius.tls.TlsKeyExchange
    public void processServerKeyExchange(InputStream inputStream, SecurityParameters securityParameters) throws IOException {
        this.handler.failWithError((short) 2, (short) 10);
    }

    @Override // net.jradius.tls.TlsKeyExchange
    public byte[] generateClientKeyExchange() throws IOException {
        this.premasterSecret = new byte[48];
        this.handler.getRandom().nextBytes(this.premasterSecret);
        TlsUtils.writeVersion(this.premasterSecret, 0);
        PKCS1Encoding pKCS1Encoding = new PKCS1Encoding(new RSABlindedEngine());
        pKCS1Encoding.init(true, new ParametersWithRandom(this.rsaServerPublicKey, this.handler.getRandom()));
        try {
            return pKCS1Encoding.processBlock(this.premasterSecret, 0, this.premasterSecret.length);
        } catch (InvalidCipherTextException e) {
            this.handler.failWithError((short) 2, (short) 80);
            return null;
        }
    }

    @Override // net.jradius.tls.TlsKeyExchange
    public byte[] generatePremasterSecret() throws IOException {
        byte[] bArr = this.premasterSecret;
        this.premasterSecret = null;
        return bArr;
    }

    private void validateKeyUsage(X509CertificateStructure x509CertificateStructure, int i) throws IOException {
        X509Extension extension;
        X509Extensions extensions = x509CertificateStructure.getTBSCertificate().getExtensions();
        if (extensions == null || (extension = extensions.getExtension(X509Extensions.KeyUsage)) == null || (KeyUsage.getInstance(extension).getBytes()[0] & 255 & i) == i) {
            return;
        }
        this.handler.failWithError((short) 2, (short) 46);
    }

    private RSAKeyParameters validateRSAPublicKey(RSAKeyParameters rSAKeyParameters) throws IOException {
        if (!rSAKeyParameters.getExponent().isProbablePrime(2)) {
            this.handler.failWithError((short) 2, (short) 47);
        }
        return rSAKeyParameters;
    }
}
