package com.google.crypto.tink.subtle;

import com.google.crypto.tink.InsecureSecretKeyAccess;
import com.google.crypto.tink.PublicKeySign;
import com.google.crypto.tink.PublicKeyVerify;
import com.google.crypto.tink.config.internal.TinkFipsUtil;
import com.google.crypto.tink.signature.RsaSsaPkcs1Parameters;
import com.google.crypto.tink.signature.RsaSsaPkcs1PrivateKey;
import com.google.crypto.tink.subtle.Enums;
import com.google.errorprone.annotations.Immutable;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.Signature;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.RSAPrivateCrtKeySpec;
import java.security.spec.RSAPublicKeySpec;

@Immutable
/* loaded from: classes4.dex */
public final class RsaSsaPkcs1SignJce implements PublicKeySign {

    /* renamed from: f, reason: collision with root package name */
    public static final TinkFipsUtil.AlgorithmFipsCompatibility f69454f = TinkFipsUtil.AlgorithmFipsCompatibility.ALGORITHM_REQUIRES_BORINGCRYPTO;

    /* renamed from: g, reason: collision with root package name */
    private static final byte[] f69455g = new byte[0];

    /* renamed from: h, reason: collision with root package name */
    private static final byte[] f69456h = {0};

    /* renamed from: i, reason: collision with root package name */
    private static final byte[] f69457i = {1, 2, 3};

    /* renamed from: a, reason: collision with root package name */
    private final RSAPrivateCrtKey f69458a;

    /* renamed from: b, reason: collision with root package name */
    private final RSAPublicKey f69459b;

    /* renamed from: c, reason: collision with root package name */
    private final String f69460c;

    /* renamed from: d, reason: collision with root package name */
    private final byte[] f69461d;

    /* renamed from: e, reason: collision with root package name */
    private final byte[] f69462e;

    private RsaSsaPkcs1SignJce(RSAPrivateCrtKey rSAPrivateCrtKey, Enums.HashType hashType, byte[] bArr, byte[] bArr2) {
        if (!f69454f.a()) {
            throw new GeneralSecurityException("Can not use RSA PKCS1.5 in FIPS-mode, as BoringCrypto module is not available.");
        }
        Validators.e(hashType);
        Validators.c(rSAPrivateCrtKey.getModulus().bitLength());
        Validators.d(rSAPrivateCrtKey.getPublicExponent());
        this.f69458a = rSAPrivateCrtKey;
        this.f69460c = SubtleUtil.h(hashType);
        this.f69459b = (RSAPublicKey) ((KeyFactory) EngineFactory.f69406h.a("RSA")).generatePublic(new RSAPublicKeySpec(rSAPrivateCrtKey.getModulus(), rSAPrivateCrtKey.getPublicExponent()));
        this.f69461d = bArr;
        this.f69462e = bArr2;
    }

    public static PublicKeySign b(RsaSsaPkcs1PrivateKey rsaSsaPkcs1PrivateKey) {
        RsaSsaPkcs1SignJce rsaSsaPkcs1SignJce = new RsaSsaPkcs1SignJce((RSAPrivateCrtKey) ((KeyFactory) EngineFactory.f69406h.a("RSA")).generatePrivate(new RSAPrivateCrtKeySpec(rsaSsaPkcs1PrivateKey.c().d(), rsaSsaPkcs1PrivateKey.f().e(), rsaSsaPkcs1PrivateKey.k().b(InsecureSecretKeyAccess.a()), rsaSsaPkcs1PrivateKey.i().b(InsecureSecretKeyAccess.a()), rsaSsaPkcs1PrivateKey.j().b(InsecureSecretKeyAccess.a()), rsaSsaPkcs1PrivateKey.g().b(InsecureSecretKeyAccess.a()), rsaSsaPkcs1PrivateKey.h().b(InsecureSecretKeyAccess.a()), rsaSsaPkcs1PrivateKey.e().b(InsecureSecretKeyAccess.a()))), (Enums.HashType) RsaSsaPkcs1VerifyJce.f69466e.c(rsaSsaPkcs1PrivateKey.f().c()), rsaSsaPkcs1PrivateKey.b().d(), rsaSsaPkcs1PrivateKey.f().f().equals(RsaSsaPkcs1Parameters.Variant.f68974d) ? f69456h : f69455g);
        PublicKeyVerify b2 = RsaSsaPkcs1VerifyJce.b(rsaSsaPkcs1PrivateKey.c());
        try {
            byte[] bArr = f69457i;
            b2.a(rsaSsaPkcs1SignJce.a(bArr), bArr);
            return rsaSsaPkcs1SignJce;
        } catch (GeneralSecurityException e2) {
            throw new GeneralSecurityException("RsaSsaPkcs1 signing with private key followed by verifying with public key failed. The key may be corrupted.", e2);
        }
    }

    private byte[] c(byte[] bArr) {
        EngineFactory engineFactory = EngineFactory.f69402d;
        Signature signature = (Signature) engineFactory.a(this.f69460c);
        signature.initSign(this.f69458a);
        signature.update(bArr);
        byte[] bArr2 = this.f69462e;
        if (bArr2.length > 0) {
            signature.update(bArr2);
        }
        byte[] sign = signature.sign();
        Signature signature2 = (Signature) engineFactory.a(this.f69460c);
        signature2.initVerify(this.f69459b);
        signature2.update(bArr);
        byte[] bArr3 = this.f69462e;
        if (bArr3.length > 0) {
            signature2.update(bArr3);
        }
        if (signature2.verify(sign)) {
            return sign;
        }
        throw new RuntimeException("Security bug: RSA signature computation error");
    }

    @Override // com.google.crypto.tink.PublicKeySign
    public byte[] a(byte[] bArr) {
        byte[] c2 = c(bArr);
        byte[] bArr2 = this.f69461d;
        return bArr2.length == 0 ? c2 : Bytes.a(bArr2, c2);
    }
}
