package U4;

import Y4.k;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.PublicKey;
import java.util.Collection;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.SshException;
import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.config.keys.OpenSshCertificate;
import org.apache.sshd.common.digest.Digest;
import org.apache.sshd.common.kex.AbstractDH;
import org.apache.sshd.common.kex.DHFactory;
import org.apache.sshd.common.kex.KexProposalOption;
import org.apache.sshd.common.kex.KeyExchange;
import org.apache.sshd.common.kex.KeyExchangeFactory;
import org.apache.sshd.common.session.Session;
import org.apache.sshd.common.signature.Signature;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.common.util.ValidateUtils;
import org.apache.sshd.common.util.buffer.Buffer;
import org.apache.sshd.common.util.buffer.ByteArrayBuffer;
import org.apache.sshd.common.util.net.SshdSocketAddress;
import v5.AbstractC1794d;

/* loaded from: classes.dex */
public class b extends U4.a {

    /* renamed from: T, reason: collision with root package name */
    protected final DHFactory f5350T;

    /* renamed from: U, reason: collision with root package name */
    protected AbstractDH f5351U;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes.dex */
    public static class a implements KeyExchangeFactory {

        /* renamed from: F, reason: collision with root package name */
        final /* synthetic */ DHFactory f5352F;

        a(DHFactory dHFactory) {
            this.f5352F = dHFactory;
        }

        @Override // org.apache.sshd.common.NamedResource
        public String getName() {
            return this.f5352F.getName();
        }

        @Override // org.apache.sshd.common.kex.KeyExchangeFactory
        public KeyExchange o3(Session session) {
            return new b(this.f5352F, session);
        }

        public String toString() {
            return NamedFactory.class.getSimpleName() + "<" + KeyExchange.class.getSimpleName() + ">[" + getName() + "]";
        }
    }

    protected b(DHFactory dHFactory, Session session) {
        super(session);
        Objects.requireNonNull(dHFactory, "No factory");
        this.f5350T = dHFactory;
    }

    public static KeyExchangeFactory Q6(DHFactory dHFactory) {
        return new a(dHFactory);
    }

    protected AbstractDH P6() {
        return this.f5350T.b2(new Object[0]);
    }

    protected void R6(Session session, OpenSshCertificate openSshCertificate) {
        PublicKey B7 = openSshCertificate.B();
        String x7 = KeyUtils.x(B7);
        String e7 = openSshCertificate.e();
        String c02 = openSshCertificate.c0();
        if (GenericUtils.o(c02) || !"ssh-rsa".equals(KeyUtils.o(c02))) {
            throw new SshException(3, "Found invalid signature alg " + c02 + " for key ID=" + e7);
        }
        if (this.f20294F.k()) {
            this.f20294F.f("verifyCertificate({})[id={}] Allowing to use variant {} instead of {}", session, e7, c02, x7);
        }
        Signature signature = (Signature) ValidateUtils.g(k.a(session.v1(), c02), "No KeyExchange CA verifier located for algorithm=%s of key ID=%s", c02, e7);
        signature.X4(session, B7);
        signature.g3(session, openSshCertificate.t());
        if (!signature.N0(session, openSshCertificate.getSignature())) {
            throw new SshException(3, "KeyExchange CA signature verification failed for key type=" + c02 + " of key ID=" + e7);
        }
        if (openSshCertificate.getType() != 2) {
            throw new SshException(3, "KeyExchange signature verification failed, not a host key (2) " + openSshCertificate.getType() + " for key ID=" + e7);
        }
        long seconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis());
        if (openSshCertificate.l() > seconds || seconds >= openSshCertificate.O()) {
            throw new SshException(3, "KeyExchange signature verification failed, CA expired " + openSshCertificate.W() + " - " + openSshCertificate.x() + " for key ID=" + e7);
        }
        SocketAddress N42 = O6().N4();
        if (N42 instanceof SshdSocketAddress) {
            N42 = ((SshdSocketAddress) N42).H();
        }
        if (!(N42 instanceof InetSocketAddress)) {
            throw new SshException(3, "KeyExchange signature verification failed, could not determine connect host for key ID=" + e7);
        }
        String hostString = ((InetSocketAddress) N42).getHostString();
        Collection V6 = openSshCertificate.V();
        if (GenericUtils.q(V6) || !V6.contains(hostString)) {
            throw new SshException(3, "KeyExchange signature verification failed, invalid principal " + hostString + " for key ID=" + e7 + " - allowed=" + V6);
        }
        if (GenericUtils.q(openSshCertificate.M())) {
            return;
        }
        throw new SshException(3, "KeyExchange signature verification failed, unrecognized critical options " + openSshCertificate.M() + " for key ID=" + e7);
    }

    @Override // org.apache.sshd.common.NamedResource
    public final String getName() {
        return this.f5350T.getName();
    }

    @Override // org.apache.sshd.common.kex.dh.AbstractDHKeyExchange, org.apache.sshd.common.kex.KeyExchange
    public void s0(byte[] bArr, byte[] bArr2, byte[] bArr3, byte[] bArr4) {
        super.s0(bArr, bArr2, bArr3, bArr4);
        AbstractDH P6 = P6();
        this.f5351U = P6;
        Digest e7 = P6.e();
        this.f19840L = e7;
        e7.o0();
        byte[] J6 = J6(this.f5351U.d());
        Session session = getSession();
        if (this.f20294F.k()) {
            this.f20294F.h("init({})[{}] Send SSH_MSG_KEXDH_INIT", this, session);
        }
        Buffer j32 = session.j3((byte) 30, J6.length + 32);
        j32.b0(J6);
        session.h(j32);
    }

    @Override // org.apache.sshd.common.kex.KeyExchange
    public boolean s1(int i7, Buffer buffer) {
        PublicKey publicKey;
        W4.a O6 = O6();
        if (this.f20294F.k()) {
            this.f20294F.f("next({})[{}] process command={}", this, O6, org.apache.sshd.common.kex.k.b(i7));
        }
        if (i7 != 31) {
            throw new SshException(3, "Protocol error: expected packet SSH_MSG_KEXDH_REPLY, got " + org.apache.sshd.common.kex.k.b(i7));
        }
        byte[] t7 = buffer.t();
        byte[] K6 = K6(buffer);
        byte[] t8 = buffer.t();
        this.f5351U.i(K6);
        this.f19841M = this.f5351U.f();
        PublicKey G7 = new ByteArrayBuffer(t7).G();
        if (G7 instanceof OpenSshCertificate) {
            OpenSshCertificate openSshCertificate = (OpenSshCertificate) G7;
            PublicKey o7 = openSshCertificate.o();
            try {
                R6(O6, openSshCertificate);
                publicKey = G7;
            } catch (SshException e7) {
                if (((Boolean) AbstractC1794d.f22767q.S2(O6)).booleanValue()) {
                    throw e7;
                }
                publicKey = openSshCertificate.o();
                this.f20294F.J("Ignoring invalid certificate {}", openSshCertificate.e(), e7);
            }
            G7 = o7;
        } else {
            publicKey = G7;
        }
        String K52 = O6.K5(KexProposalOption.SERVERKEYS);
        if (GenericUtils.o(K52)) {
            throw new SshException("Unsupported server key type: " + G7.getAlgorithm() + "[" + G7.getFormat() + "]");
        }
        ByteArrayBuffer byteArrayBuffer = new ByteArrayBuffer();
        byteArrayBuffer.W(this.f19837I);
        byteArrayBuffer.W(this.f19836H);
        byteArrayBuffer.W(this.f19839K);
        byteArrayBuffer.W(this.f19838J);
        byteArrayBuffer.W(t7);
        byteArrayBuffer.b0(D6());
        byteArrayBuffer.b0(K6);
        byteArrayBuffer.b0(this.f19841M);
        this.f19840L.d(byteArrayBuffer.g(), 0, byteArrayBuffer.a());
        this.f19842N = this.f19840L.U();
        Signature signature = (Signature) ValidateUtils.f(k.a(O6.v1(), K52), "No verifier located for algorithm=%s", K52);
        signature.X4(O6, G7);
        signature.g3(O6, this.f19842N);
        if (signature.N0(O6, t8)) {
            O6.da(publicKey);
            return true;
        }
        throw new SshException(3, "KeyExchange signature verification failed for key type=" + K52);
    }
}
