package e5;

import g5.AbstractC1263a;
import i5.AbstractC1350k;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.PublicKey;
import java.util.Collection;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.SshException;
import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.config.keys.OpenSshCertificate;
import org.apache.sshd.common.digest.Digest;
import org.apache.sshd.common.kex.AbstractDH;
import org.apache.sshd.common.kex.DHFactory;
import org.apache.sshd.common.kex.KexProposalOption;
import org.apache.sshd.common.kex.KeyExchange;
import org.apache.sshd.common.kex.KeyExchangeFactory;
import org.apache.sshd.common.kex.k;
import org.apache.sshd.common.session.Session;
import org.apache.sshd.common.signature.Signature;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.common.util.ValidateUtils;
import org.apache.sshd.common.util.buffer.Buffer;
import org.apache.sshd.common.util.buffer.ByteArrayBuffer;
import org.apache.sshd.common.util.net.SshdSocketAddress;

/* renamed from: e5.b, reason: case insensitive filesystem */
/* loaded from: classes.dex */
public class C1119b extends AbstractC1118a {

    /* renamed from: T, reason: collision with root package name */
    protected final DHFactory f17311T;

    /* renamed from: U, reason: collision with root package name */
    protected AbstractDH f17312U;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: e5.b$a */
    /* loaded from: classes.dex */
    public static class a implements KeyExchangeFactory {

        /* renamed from: F, reason: collision with root package name */
        final /* synthetic */ DHFactory f17313F;

        a(DHFactory dHFactory) {
            this.f17313F = dHFactory;
        }

        @Override // org.apache.sshd.common.NamedResource
        public String getName() {
            return this.f17313F.getName();
        }

        public String toString() {
            return NamedFactory.class.getSimpleName() + "<" + KeyExchange.class.getSimpleName() + ">[" + getName() + "]";
        }

        @Override // org.apache.sshd.common.kex.KeyExchangeFactory
        public KeyExchange w3(Session session) {
            return new C1119b(this.f17313F, session);
        }
    }

    protected C1119b(DHFactory dHFactory, Session session) {
        super(session);
        Objects.requireNonNull(dHFactory, "No factory");
        this.f17311T = dHFactory;
    }

    public static KeyExchangeFactory Y6(DHFactory dHFactory) {
        return new a(dHFactory);
    }

    protected AbstractDH X6() {
        return this.f17311T.h2(new Object[0]);
    }

    protected void Z6(Session session, OpenSshCertificate openSshCertificate) {
        PublicKey D7 = openSshCertificate.D();
        String x7 = KeyUtils.x(D7);
        String e7 = openSshCertificate.e();
        String a02 = openSshCertificate.a0();
        if (GenericUtils.o(a02) || !"ssh-rsa".equals(KeyUtils.o(a02))) {
            throw new SshException(3, "Found invalid signature alg " + a02 + " for key ID=" + e7);
        }
        if (this.f21687F.k()) {
            this.f21687F.d("verifyCertificate({})[id={}] Allowing to use variant {} instead of {}", session, e7, a02, x7);
        }
        Signature signature = (Signature) ValidateUtils.g(AbstractC1350k.a(session.C1(), a02), "No KeyExchange CA verifier located for algorithm=%s of key ID=%s", a02, e7);
        signature.e5(session, D7);
        signature.o3(session, openSshCertificate.r());
        if (!signature.R0(session, openSshCertificate.getSignature())) {
            throw new SshException(3, "KeyExchange CA signature verification failed for key type=" + a02 + " of key ID=" + e7);
        }
        if (openSshCertificate.getType() != 2) {
            throw new SshException(3, "KeyExchange signature verification failed, not a host key (2) " + openSshCertificate.getType() + " for key ID=" + e7);
        }
        long seconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis());
        if (openSshCertificate.l() > seconds || seconds >= openSshCertificate.O()) {
            throw new SshException(3, "KeyExchange signature verification failed, CA expired " + openSshCertificate.W() + " - " + openSshCertificate.u() + " for key ID=" + e7);
        }
        SocketAddress T42 = W6().T4();
        if (T42 instanceof SshdSocketAddress) {
            T42 = ((SshdSocketAddress) T42).F();
        }
        if (!(T42 instanceof InetSocketAddress)) {
            throw new SshException(3, "KeyExchange signature verification failed, could not determine connect host for key ID=" + e7);
        }
        String hostString = ((InetSocketAddress) T42).getHostString();
        Collection V6 = openSshCertificate.V();
        if (GenericUtils.q(V6) || !V6.contains(hostString)) {
            throw new SshException(3, "KeyExchange signature verification failed, invalid principal " + hostString + " for key ID=" + e7 + " - allowed=" + V6);
        }
        if (GenericUtils.q(openSshCertificate.M())) {
            return;
        }
        throw new SshException(3, "KeyExchange signature verification failed, unrecognized critical options " + openSshCertificate.M() + " for key ID=" + e7);
    }

    @Override // org.apache.sshd.common.NamedResource
    public final String getName() {
        return this.f17311T.getName();
    }

    @Override // org.apache.sshd.common.kex.dh.AbstractDHKeyExchange, org.apache.sshd.common.kex.KeyExchange
    public void v0(byte[] bArr, byte[] bArr2, byte[] bArr3, byte[] bArr4) {
        super.v0(bArr, bArr2, bArr3, bArr4);
        AbstractDH X6 = X6();
        this.f17312U = X6;
        Digest e7 = X6.e();
        this.f21233L = e7;
        e7.r0();
        byte[] R6 = R6(this.f17312U.d());
        Session session = getSession();
        if (this.f21687F.k()) {
            this.f21687F.h("init({})[{}] Send SSH_MSG_KEXDH_INIT", this, session);
        }
        Buffer q32 = session.q3((byte) 30, R6.length + 32);
        q32.b0(R6);
        session.h(q32);
    }

    @Override // org.apache.sshd.common.kex.KeyExchange
    public boolean z1(int i7, Buffer buffer) {
        PublicKey publicKey;
        AbstractC1263a W6 = W6();
        if (this.f21687F.k()) {
            this.f21687F.d("next({})[{}] process command={}", this, W6, k.b(i7));
        }
        if (i7 != 31) {
            throw new SshException(3, "Protocol error: expected packet SSH_MSG_KEXDH_REPLY, got " + k.b(i7));
        }
        byte[] t7 = buffer.t();
        byte[] S6 = S6(buffer);
        byte[] t8 = buffer.t();
        this.f17312U.i(S6);
        this.f21234M = this.f17312U.f();
        PublicKey G7 = new ByteArrayBuffer(t7).G();
        if (G7 instanceof OpenSshCertificate) {
            OpenSshCertificate openSshCertificate = (OpenSshCertificate) G7;
            PublicKey m7 = openSshCertificate.m();
            try {
                Z6(W6, openSshCertificate);
                publicKey = G7;
            } catch (SshException e7) {
                if (((Boolean) F5.d.f2692q.b3(W6)).booleanValue()) {
                    throw e7;
                }
                publicKey = openSshCertificate.m();
                this.f21687F.J("Ignoring invalid certificate {}", openSshCertificate.e(), e7);
            }
            G7 = m7;
        } else {
            publicKey = G7;
        }
        String U52 = W6.U5(KexProposalOption.SERVERKEYS);
        if (GenericUtils.o(U52)) {
            throw new SshException("Unsupported server key type: " + G7.getAlgorithm() + "[" + G7.getFormat() + "]");
        }
        ByteArrayBuffer byteArrayBuffer = new ByteArrayBuffer();
        byteArrayBuffer.V(this.f21230I);
        byteArrayBuffer.V(this.f21229H);
        byteArrayBuffer.V(this.f21232K);
        byteArrayBuffer.V(this.f21231J);
        byteArrayBuffer.V(t7);
        byteArrayBuffer.b0(L6());
        byteArrayBuffer.b0(S6);
        byteArrayBuffer.b0(this.f21234M);
        this.f21233L.d(byteArrayBuffer.g(), 0, byteArrayBuffer.a());
        this.f21235N = this.f21233L.Y();
        Signature signature = (Signature) ValidateUtils.f(AbstractC1350k.a(W6.C1(), U52), "No verifier located for algorithm=%s", U52);
        signature.e5(W6, G7);
        signature.o3(W6, this.f21235N);
        if (signature.R0(W6, t8)) {
            W6.T9(publicKey);
            return true;
        }
        throw new SshException(3, "KeyExchange signature verification failed for key type=" + U52);
    }
}
