package com.google.crypto.tink.signature.internal;

import com.google.crypto.tink.AccessesPartialKey;
import com.google.crypto.tink.PublicKeyVerify;
import com.google.crypto.tink.config.internal.TinkFipsUtil;
import com.google.crypto.tink.internal.Util;
import com.google.crypto.tink.signature.Ed25519Parameters;
import com.google.crypto.tink.signature.Ed25519PublicKey;
import com.google.crypto.tink.subtle.Bytes;
import com.google.crypto.tink.subtle.EngineFactory;
import com.google.errorprone.annotations.Immutable;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.spec.X509EncodedKeySpec;

@Immutable
/* loaded from: input_file:WEB-INF/detached-plugins/trilead-api.hpi:WEB-INF/lib/tink-1.17.0.jar:com/google/crypto/tink/signature/internal/Ed25519VerifyJce.class */
public final class Ed25519VerifyJce implements PublicKeyVerify {
    private static final int PUBLIC_KEY_LEN = 32;
    private static final int SIGNATURE_LEN = 64;
    private static final String ALGORITHM_NAME = "Ed25519";
    private final PublicKey publicKey;
    private final byte[] outputPrefix;
    private final byte[] messageSuffix;
    public static final TinkFipsUtil.AlgorithmFipsCompatibility FIPS = TinkFipsUtil.AlgorithmFipsCompatibility.ALGORITHM_NOT_FIPS;
    private static final byte[] ED25519_X509_PREFIX = {48, 42, 48, 5, 6, 3, 43, 101, 112, 3, 33, 0};

    /* JADX WARN: Type inference failed for: r0v3, types: [byte[], byte[][]] */
    static byte[] x509EncodePublicKey(byte[] bArr) throws GeneralSecurityException {
        if (bArr.length != 32) {
            throw new IllegalArgumentException(String.format("Given public key's length is not %s.", 32));
        }
        return Bytes.concat(new byte[]{ED25519_X509_PREFIX, bArr});
    }

    @AccessesPartialKey
    public static PublicKeyVerify create(Ed25519PublicKey ed25519PublicKey) throws GeneralSecurityException {
        if (FIPS.isCompatible()) {
            return new Ed25519VerifyJce(ed25519PublicKey.getPublicKeyBytes().toByteArray(), ed25519PublicKey.getOutputPrefix().toByteArray(), ed25519PublicKey.getParameters().getVariant().equals(Ed25519Parameters.Variant.LEGACY) ? new byte[]{0} : new byte[0]);
        }
        throw new GeneralSecurityException("Can not use Ed25519 in FIPS-mode.");
    }

    Ed25519VerifyJce(byte[] bArr) throws GeneralSecurityException {
        this(bArr, new byte[0], new byte[0]);
    }

    private Ed25519VerifyJce(byte[] bArr, byte[] bArr2, byte[] bArr3) throws GeneralSecurityException {
        if (!FIPS.isCompatible()) {
            throw new GeneralSecurityException("Can not use Ed25519 in FIPS-mode.");
        }
        this.publicKey = EngineFactory.KEY_FACTORY.getInstance("Ed25519").generatePublic(new X509EncodedKeySpec(x509EncodePublicKey(bArr)));
        this.outputPrefix = bArr2;
        this.messageSuffix = bArr3;
    }

    public static boolean isSupported() {
        try {
            EngineFactory.KEY_FACTORY.getInstance("Ed25519");
            EngineFactory.SIGNATURE.getInstance("Ed25519");
            return true;
        } catch (GeneralSecurityException e) {
            return false;
        }
    }

    @Override // com.google.crypto.tink.PublicKeyVerify
    public void verify(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
        boolean z;
        if (bArr.length != this.outputPrefix.length + 64) {
            throw new GeneralSecurityException(String.format("Invalid signature length: %s", 64));
        }
        if (!Util.isPrefix(this.outputPrefix, bArr)) {
            throw new GeneralSecurityException("Invalid signature (output prefix mismatch)");
        }
        Signature engineFactory = EngineFactory.SIGNATURE.getInstance("Ed25519");
        engineFactory.initVerify(this.publicKey);
        engineFactory.update(bArr2);
        engineFactory.update(this.messageSuffix);
        try {
            z = engineFactory.verify(bArr, this.outputPrefix.length, 64);
        } catch (RuntimeException e) {
            z = false;
        }
        if (!z) {
            throw new GeneralSecurityException("Signature check failed.");
        }
    }
}
