package com.google.crypto.tink.signature.internal;

import com.google.crypto.tink.AccessesPartialKey;
import com.google.crypto.tink.InsecureSecretKeyAccess;
import com.google.crypto.tink.PublicKeySign;
import com.google.crypto.tink.config.internal.TinkFipsUtil;
import com.google.crypto.tink.signature.Ed25519Parameters;
import com.google.crypto.tink.signature.Ed25519PrivateKey;
import com.google.crypto.tink.subtle.Bytes;
import com.google.crypto.tink.subtle.EngineFactory;
import com.google.errorprone.annotations.Immutable;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.spec.PKCS8EncodedKeySpec;

@Immutable
/* loaded from: input_file:WEB-INF/detached-plugins/trilead-api.hpi:WEB-INF/lib/tink-1.16.0.jar:com/google/crypto/tink/signature/internal/Ed25519SignJce.class */
public final class Ed25519SignJce implements PublicKeySign {
    public static final int SECRET_KEY_LEN = 32;
    public static final int SIGNATURE_LEN = 64;
    private static final String ALGORITHM_NAME = "Ed25519";
    private final byte[] outputPrefix;
    private final byte[] messageSuffix;
    private final PrivateKey privateKey;
    public static final TinkFipsUtil.AlgorithmFipsCompatibility FIPS = TinkFipsUtil.AlgorithmFipsCompatibility.ALGORITHM_NOT_FIPS;
    private static final byte[] ED25519_PKCS8_PREFIX = {48, 46, 2, 1, 0, 48, 5, 6, 3, 43, 101, 112, 4, 34, 4, 32};

    /* JADX WARN: Type inference failed for: r0v3, types: [byte[], byte[][]] */
    static byte[] pkcs8EncodePrivateKey(byte[] bArr) throws GeneralSecurityException {
        if (bArr.length != 32) {
            throw new IllegalArgumentException(String.format("Given private key's length is not %s", 32));
        }
        return Bytes.concat(new byte[]{ED25519_PKCS8_PREFIX, bArr});
    }

    @AccessesPartialKey
    public static PublicKeySign create(Ed25519PrivateKey ed25519PrivateKey) throws GeneralSecurityException {
        return new Ed25519SignJce(ed25519PrivateKey.getPrivateKeyBytes().toByteArray(InsecureSecretKeyAccess.get()), ed25519PrivateKey.getOutputPrefix().toByteArray(), ed25519PrivateKey.getParameters().getVariant().equals(Ed25519Parameters.Variant.LEGACY) ? new byte[]{0} : new byte[0]);
    }

    private Ed25519SignJce(byte[] bArr, byte[] bArr2, byte[] bArr3) throws GeneralSecurityException {
        if (!FIPS.isCompatible()) {
            throw new GeneralSecurityException("Can not use Ed25519 in FIPS-mode.");
        }
        this.outputPrefix = bArr2;
        this.messageSuffix = bArr3;
        this.privateKey = EngineFactory.KEY_FACTORY.getInstance("Ed25519").generatePrivate(new PKCS8EncodedKeySpec(pkcs8EncodePrivateKey(bArr)));
    }

    public Ed25519SignJce(byte[] bArr) throws GeneralSecurityException {
        this(bArr, new byte[0], new byte[0]);
    }

    public static boolean isSupported() {
        try {
            EngineFactory.KEY_FACTORY.getInstance("Ed25519");
            EngineFactory.SIGNATURE.getInstance("Ed25519");
            return true;
        } catch (GeneralSecurityException e) {
            return false;
        }
    }

    /* JADX WARN: Type inference failed for: r0v12, types: [byte[], byte[][]] */
    @Override // com.google.crypto.tink.PublicKeySign
    public byte[] sign(byte[] bArr) throws GeneralSecurityException {
        Signature engineFactory = EngineFactory.SIGNATURE.getInstance("Ed25519");
        engineFactory.initSign(this.privateKey);
        engineFactory.update(bArr);
        engineFactory.update(this.messageSuffix);
        byte[] sign = engineFactory.sign();
        return this.outputPrefix.length == 0 ? sign : Bytes.concat(new byte[]{this.outputPrefix, sign});
    }
}
