package org.apache.spark.network.crypto;

import com.google.crypto.tink.subtle.AesGcmJce;
import com.google.crypto.tink.subtle.Hkdf;
import com.google.crypto.tink.subtle.Random;
import com.google.crypto.tink.subtle.X25519;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.Unpooled;
import java.io.Closeable;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.util.Arrays;
import java.util.Properties;
import javax.crypto.spec.SecretKeySpec;
import org.apache.spark.network.util.TransportConf;
import org.sparkproject.guava.annotations.VisibleForTesting;
import org.sparkproject.guava.base.Preconditions;
import org.sparkproject.guava.primitives.Bytes;

/* loaded from: input_file:org/apache/spark/network/crypto/AuthEngine.class */
class AuthEngine implements Closeable {
    private static final String MAC_ALGORITHM = "HMACSHA256";
    private static final int AES_GCM_KEY_SIZE_BYTES = 16;
    private static final int UNSAFE_SKIP_HKDF_VERSION = 1;
    private final String appId;
    private final byte[] preSharedSecret;
    private final TransportConf conf;
    private final Properties cryptoConf;
    private final boolean unsafeSkipFinalHkdf;
    private byte[] clientPrivateKey;
    private TransportCipher sessionCipher;
    public static final byte[] DERIVED_KEY_INFO = "derivedKey".getBytes(StandardCharsets.UTF_8);
    public static final byte[] INPUT_IV_INFO = "inputIv".getBytes(StandardCharsets.UTF_8);
    public static final byte[] OUTPUT_IV_INFO = "outputIv".getBytes(StandardCharsets.UTF_8);
    private static final byte[] EMPTY_TRANSCRIPT = new byte[0];

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthEngine(String str, String str2, TransportConf transportConf) {
        Preconditions.checkNotNull(str);
        Preconditions.checkNotNull(str2);
        this.appId = str;
        this.preSharedSecret = str2.getBytes(StandardCharsets.UTF_8);
        this.conf = transportConf;
        this.cryptoConf = transportConf.cryptoConf();
        this.unsafeSkipFinalHkdf = transportConf.authEngineVersion() == 1;
    }

    @VisibleForTesting
    void setClientPrivateKey(byte[] bArr) {
        this.clientPrivateKey = bArr;
    }

    /* JADX WARN: Type inference failed for: r0v3, types: [byte[], byte[][]] */
    private AuthMessage encryptEphemeralPublicKey(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
        byte[] randBytes = Random.randBytes(16);
        byte[] concat = Bytes.concat(new byte[]{this.appId.getBytes(StandardCharsets.UTF_8), randBytes, bArr2});
        return new AuthMessage(this.appId, randBytes, new AesGcmJce(Hkdf.computeHkdf(MAC_ALGORITHM, this.preSharedSecret, randBytes, concat, 16)).encrypt(bArr, concat));
    }

    /* JADX WARN: Type inference failed for: r0v4, types: [byte[], byte[][]] */
    private byte[] decryptEphemeralPublicKey(AuthMessage authMessage, byte[] bArr) throws GeneralSecurityException {
        Preconditions.checkArgument(this.appId.equals(authMessage.appId()));
        byte[] concat = Bytes.concat(new byte[]{this.appId.getBytes(StandardCharsets.UTF_8), authMessage.salt(), bArr});
        return new AesGcmJce(Hkdf.computeHkdf(MAC_ALGORITHM, this.preSharedSecret, authMessage.salt(), concat, 16)).decrypt(authMessage.ciphertext(), concat);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthMessage challenge() throws GeneralSecurityException {
        setClientPrivateKey(X25519.generatePrivateKey());
        return encryptEphemeralPublicKey(X25519.publicFromPrivate(this.clientPrivateKey), EMPTY_TRANSCRIPT);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthMessage response(AuthMessage authMessage) throws GeneralSecurityException {
        Preconditions.checkArgument(this.appId.equals(authMessage.appId()));
        byte[] decryptEphemeralPublicKey = decryptEphemeralPublicKey(authMessage, EMPTY_TRANSCRIPT);
        byte[] generatePrivateKey = X25519.generatePrivateKey();
        AuthMessage encryptEphemeralPublicKey = encryptEphemeralPublicKey(X25519.publicFromPrivate(generatePrivateKey), getTranscript(authMessage));
        this.sessionCipher = generateTransportCipher(X25519.computeSharedSecret(generatePrivateKey, decryptEphemeralPublicKey), false, getTranscript(authMessage, encryptEphemeralPublicKey));
        return encryptEphemeralPublicKey;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void deriveSessionCipher(AuthMessage authMessage, AuthMessage authMessage2) throws GeneralSecurityException {
        Preconditions.checkArgument(this.appId.equals(authMessage.appId()));
        Preconditions.checkArgument(this.appId.equals(authMessage2.appId()));
        this.sessionCipher = generateTransportCipher(X25519.computeSharedSecret(this.clientPrivateKey, decryptEphemeralPublicKey(authMessage2, getTranscript(authMessage))), true, getTranscript(authMessage, authMessage2));
    }

    private TransportCipher generateTransportCipher(byte[] bArr, boolean z, byte[] bArr2) throws GeneralSecurityException {
        byte[] computeHkdf = this.unsafeSkipFinalHkdf ? bArr : Hkdf.computeHkdf(MAC_ALGORITHM, bArr, bArr2, DERIVED_KEY_INFO, 16);
        byte[] computeHkdf2 = Hkdf.computeHkdf(MAC_ALGORITHM, bArr, bArr2, INPUT_IV_INFO, 16);
        byte[] computeHkdf3 = Hkdf.computeHkdf(MAC_ALGORITHM, bArr, bArr2, OUTPUT_IV_INFO, 16);
        return new TransportCipher(this.cryptoConf, this.conf.cipherTransformation(), new SecretKeySpec(computeHkdf, "AES"), z ? computeHkdf2 : computeHkdf3, z ? computeHkdf3 : computeHkdf2);
    }

    private byte[] getTranscript(AuthMessage... authMessageArr) {
        ByteBuf buffer = Unpooled.buffer(Arrays.stream(authMessageArr).mapToInt(authMessage -> {
            return authMessage.encodedLength();
        }).sum());
        Arrays.stream(authMessageArr).forEachOrdered(authMessage2 -> {
            authMessage2.encode(buffer);
        });
        return buffer.array();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TransportCipher sessionCipher() {
        Preconditions.checkState(this.sessionCipher != null);
        return this.sessionCipher;
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
    }
}
