package sun.security.pkcs11;

import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.InvalidParameterException;
import java.security.ProviderException;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import javax.crypto.KeyGeneratorSpi;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import sun.security.internal.spec.TlsPrfParameterSpec;
import sun.security.pkcs11.wrapper.CK_MECHANISM;
import sun.security.pkcs11.wrapper.CK_TLS_MAC_PARAMS;
import sun.security.pkcs11.wrapper.CK_TLS_PRF_PARAMS;
import sun.security.pkcs11.wrapper.Functions;
import sun.security.pkcs11.wrapper.PKCS11Constants;
import sun.security.pkcs11.wrapper.PKCS11Exception;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:sun/security/pkcs11/P11TlsPrfGenerator.class */
public final class P11TlsPrfGenerator extends KeyGeneratorSpi {
    private static final String MSG = "TlsPrfGenerator must be initialized using a TlsPrfParameterSpec";
    private final Token token;
    private final String algorithm;
    private final long mechanism;
    private TlsPrfParameterSpec spec;
    private P11Key p11Key;
    private static final SecretKey NULL_KEY = new SecretKey() { // from class: sun.security.pkcs11.P11TlsPrfGenerator.1
        @Override // java.security.Key
        public byte[] getEncoded() {
            return new byte[0];
        }

        @Override // java.security.Key
        public String getFormat() {
            return "RAW";
        }

        @Override // java.security.Key
        public String getAlgorithm() {
            return "Generic";
        }
    };

    /* JADX INFO: Access modifiers changed from: package-private */
    public P11TlsPrfGenerator(Token token, String str, long j) throws PKCS11Exception {
        this.token = token;
        this.algorithm = str;
        this.mechanism = j;
    }

    @Override // javax.crypto.KeyGeneratorSpi
    protected void engineInit(SecureRandom secureRandom) {
        throw new InvalidParameterException(MSG);
    }

    @Override // javax.crypto.KeyGeneratorSpi
    protected void engineInit(AlgorithmParameterSpec algorithmParameterSpec, SecureRandom secureRandom) throws InvalidAlgorithmParameterException {
        if (!(algorithmParameterSpec instanceof TlsPrfParameterSpec)) {
            throw new InvalidAlgorithmParameterException(MSG);
        }
        this.spec = (TlsPrfParameterSpec) algorithmParameterSpec;
        SecretKey secret = this.spec.getSecret();
        if (secret == null) {
            secret = NULL_KEY;
        }
        try {
            this.p11Key = P11SecretKeyFactory.convertKey(this.token, secret, null);
        } catch (InvalidKeyException e) {
            throw new InvalidAlgorithmParameterException("init() failed", e);
        }
    }

    @Override // javax.crypto.KeyGeneratorSpi
    protected void engineInit(int i, SecureRandom secureRandom) {
        throw new InvalidParameterException(MSG);
    }

    @Override // javax.crypto.KeyGeneratorSpi
    protected SecretKey engineGenerateKey() {
        if (this.spec == null) {
            throw new IllegalStateException("TlsPrfGenerator must be initialized");
        }
        byte[] seed = this.spec.getSeed();
        if (this.mechanism == 996) {
            int i = 0;
            if (this.spec.getLabel().equals("server finished")) {
                i = 1;
            }
            if (this.spec.getLabel().equals("client finished")) {
                i = 2;
            }
            if (i == 0) {
                throw new ProviderException("Only Finished message authentication code generation supported for TLS 1.2.");
            }
            CK_TLS_MAC_PARAMS ck_tls_mac_params = new CK_TLS_MAC_PARAMS(Functions.getHashMechId(this.spec.getPRFHashAlg()), this.spec.getOutputLength(), i);
            Session session = null;
            try {
                try {
                    session = this.token.getOpSession();
                    this.token.p11.C_SignInit(session.id(), new CK_MECHANISM(this.mechanism, ck_tls_mac_params), this.p11Key.keyID);
                    this.token.p11.C_SignUpdate(session.id(), 0L, seed, 0, seed.length);
                    SecretKeySpec secretKeySpec = new SecretKeySpec(this.token.p11.C_SignFinal(session.id(), this.spec.getOutputLength()), "TlsPrf");
                    this.token.releaseSession(session);
                    return secretKeySpec;
                } catch (PKCS11Exception e) {
                    throw new ProviderException("Could not calculate PRF", e);
                }
            } finally {
            }
        }
        byte[] bytesUTF8 = P11Util.getBytesUTF8(this.spec.getLabel());
        if (this.mechanism == PKCS11Constants.CKM_NSS_TLS_PRF_GENERAL) {
            Session session2 = null;
            try {
                try {
                    session2 = this.token.getOpSession();
                    this.token.p11.C_SignInit(session2.id(), new CK_MECHANISM(this.mechanism), this.p11Key.keyID);
                    this.token.p11.C_SignUpdate(session2.id(), 0L, bytesUTF8, 0, bytesUTF8.length);
                    this.token.p11.C_SignUpdate(session2.id(), 0L, seed, 0, seed.length);
                    SecretKeySpec secretKeySpec2 = new SecretKeySpec(this.token.p11.C_SignFinal(session2.id(), this.spec.getOutputLength()), "TlsPrf");
                    this.token.releaseSession(session2);
                    return secretKeySpec2;
                } catch (PKCS11Exception e2) {
                    throw new ProviderException("Could not calculate PRF", e2);
                }
            } finally {
            }
        }
        byte[] bArr = new byte[this.spec.getOutputLength()];
        CK_TLS_PRF_PARAMS ck_tls_prf_params = new CK_TLS_PRF_PARAMS(seed, bytesUTF8, bArr);
        Session session3 = null;
        try {
            try {
                session3 = this.token.getOpSession();
                this.token.p11.C_DeriveKey(session3.id(), new CK_MECHANISM(this.mechanism, ck_tls_prf_params), this.p11Key.keyID, null);
                SecretKeySpec secretKeySpec3 = new SecretKeySpec(bArr, "TlsPrf");
                this.token.releaseSession(session3);
                return secretKeySpec3;
            } catch (PKCS11Exception e3) {
                throw new ProviderException("Could not calculate PRF", e3);
            }
        } finally {
            this.token.releaseSession(session3);
        }
    }
}
