package com.google.crypto.tink.hybrid;

import com.google.crypto.tink.InsecureSecretKeyAccess;
import com.google.crypto.tink.hybrid.HpkeParameters;
import com.google.crypto.tink.internal.BigIntegerEncoding;
import com.google.crypto.tink.internal.EllipticCurvesUtil;
import com.google.crypto.tink.subtle.EllipticCurves;
import com.google.crypto.tink.subtle.X25519;
import com.google.crypto.tink.util.SecretBytes;
import com.google.errorprone.annotations.Immutable;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.spec.ECParameterSpec;
import java.util.Arrays;

@Immutable
/* loaded from: classes4.dex */
public final class HpkePrivateKey extends HybridPrivateKey {

    /* renamed from: a, reason: collision with root package name */
    private final HpkePublicKey f67330a;

    /* renamed from: b, reason: collision with root package name */
    private final SecretBytes f67331b;

    private HpkePrivateKey(HpkePublicKey hpkePublicKey, SecretBytes secretBytes) {
        this.f67330a = hpkePublicKey;
        this.f67331b = secretBytes;
    }

    public static HpkePrivateKey d(HpkePublicKey hpkePublicKey, SecretBytes secretBytes) {
        if (hpkePublicKey == null) {
            throw new GeneralSecurityException("HPKE private key cannot be constructed without an HPKE public key");
        }
        if (secretBytes == null) {
            throw new GeneralSecurityException("HPKE private key cannot be constructed without secret");
        }
        k(hpkePublicKey.f().e(), secretBytes);
        j(hpkePublicKey.f().e(), hpkePublicKey.g().d(), secretBytes.d(InsecureSecretKeyAccess.a()));
        return new HpkePrivateKey(hpkePublicKey, secretBytes);
    }

    private static ECParameterSpec e(HpkeParameters.KemId kemId) {
        if (kemId == HpkeParameters.KemId.f67322c) {
            return EllipticCurves.n();
        }
        if (kemId == HpkeParameters.KemId.f67323d) {
            return EllipticCurves.o();
        }
        if (kemId == HpkeParameters.KemId.f67324e) {
            return EllipticCurves.p();
        }
        throw new IllegalArgumentException("Unable to determine NIST curve params for " + kemId);
    }

    private static boolean i(HpkeParameters.KemId kemId) {
        return kemId == HpkeParameters.KemId.f67322c || kemId == HpkeParameters.KemId.f67323d || kemId == HpkeParameters.KemId.f67324e;
    }

    private static void j(HpkeParameters.KemId kemId, byte[] bArr, byte[] bArr2) {
        if (!i(kemId)) {
            if (kemId == HpkeParameters.KemId.f67325f) {
                if (!Arrays.equals(X25519.c(bArr2), bArr)) {
                    throw new GeneralSecurityException("Invalid private key for public key.");
                }
                return;
            } else {
                throw new IllegalArgumentException("Unable to validate key pair for " + kemId);
            }
        }
        ECParameterSpec e2 = e(kemId);
        BigInteger order = e2.getOrder();
        BigInteger a2 = BigIntegerEncoding.a(bArr2);
        if (a2.signum() <= 0 || a2.compareTo(order) >= 0) {
            throw new GeneralSecurityException("Invalid private key.");
        }
        if (!EllipticCurvesUtil.k(a2, e2).equals(EllipticCurves.v(e2.getCurve(), EllipticCurves.PointFormatType.UNCOMPRESSED, bArr))) {
            throw new GeneralSecurityException("Invalid private key for public key.");
        }
    }

    private static void k(HpkeParameters.KemId kemId, SecretBytes secretBytes) {
        int c2 = secretBytes.c();
        String str = "Encoded private key byte length for " + kemId + " must be %d, not " + c2;
        if (kemId == HpkeParameters.KemId.f67322c) {
            if (c2 != 32) {
                throw new GeneralSecurityException(String.format(str, 32));
            }
            return;
        }
        if (kemId == HpkeParameters.KemId.f67323d) {
            if (c2 != 48) {
                throw new GeneralSecurityException(String.format(str, 48));
            }
            return;
        }
        if (kemId == HpkeParameters.KemId.f67324e) {
            if (c2 != 66) {
                throw new GeneralSecurityException(String.format(str, 66));
            }
        } else if (kemId == HpkeParameters.KemId.f67325f) {
            if (c2 != 32) {
                throw new GeneralSecurityException(String.format(str, 32));
            }
        } else {
            throw new GeneralSecurityException("Unable to validate private key length for " + kemId);
        }
    }

    public HpkeParameters f() {
        return this.f67330a.f();
    }

    public SecretBytes g() {
        return this.f67331b;
    }

    @Override // com.google.crypto.tink.hybrid.HybridPrivateKey
    /* renamed from: h, reason: merged with bridge method [inline-methods] */
    public HpkePublicKey c() {
        return this.f67330a;
    }
}
