package com.nimbusds.jose.crypto;

import com.nimbusds.jose.JOSEException;
import java.security.Provider;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import net.jcip.annotations.ThreadSafe;
import org.bouncycastle.crypto.InvalidCipherTextException;
import org.bouncycastle.crypto.modes.GCMBlockCipher;
import org.bouncycastle.crypto.params.AEADParameters;
import org.bouncycastle.crypto.params.KeyParameter;

@ThreadSafe
/* loaded from: classes.dex */
class AESGCMKW {
    public static final int AUTH_TAG_BIT_LENGTH = 128;

    private AESGCMKW() {
    }

    public static SecretKey decryptCEK(SecretKey secretKey, byte[] bArr, AuthenticatedCipherText authenticatedCipherText, int i, Provider provider) throws JOSEException {
        GCMBlockCipher gCMBlockCipher = new GCMBlockCipher(AES.createCipher(secretKey, false));
        gCMBlockCipher.init(false, new AEADParameters(new KeyParameter(secretKey.getEncoded()), 128, bArr, (byte[]) null));
        byte[] cipherText = authenticatedCipherText.getCipherText();
        byte[] authenticationTag = authenticatedCipherText.getAuthenticationTag();
        byte[] bArr2 = new byte[cipherText.length + authenticationTag.length];
        System.arraycopy(cipherText, 0, bArr2, 0, cipherText.length);
        System.arraycopy(authenticationTag, 0, bArr2, cipherText.length, authenticationTag.length);
        byte[] bArr3 = new byte[gCMBlockCipher.getOutputSize(bArr2.length)];
        try {
            gCMBlockCipher.doFinal(bArr3, gCMBlockCipher.processBytes(bArr2, 0, bArr2.length, bArr3, 0));
            if (bArr3.length * 8 == i) {
                return new SecretKeySpec(bArr3, "AES");
            }
            throw new JOSEException("CEK key length mismatch: " + bArr3.length + " != " + i);
        } catch (InvalidCipherTextException e) {
            throw new JOSEException("Couldn't validate GCM authentication tag: " + e.getMessage(), e);
        }
    }

    public static AuthenticatedCipherText encryptCEK(SecretKey secretKey, byte[] bArr, SecretKey secretKey2, Provider provider) throws JOSEException {
        GCMBlockCipher gCMBlockCipher = new GCMBlockCipher(AES.createCipher(secretKey2, true));
        gCMBlockCipher.init(true, new AEADParameters(new KeyParameter(secretKey2.getEncoded()), 128, bArr, (byte[]) null));
        byte[] bArr2 = new byte[gCMBlockCipher.getOutputSize(secretKey.getEncoded().length)];
        int processBytes = gCMBlockCipher.processBytes(secretKey.getEncoded(), 0, secretKey.getEncoded().length, bArr2, 0);
        try {
            int doFinal = (processBytes + gCMBlockCipher.doFinal(bArr2, processBytes)) - 16;
            byte[] bArr3 = new byte[doFinal];
            byte[] bArr4 = new byte[16];
            System.arraycopy(bArr2, 0, bArr3, 0, bArr3.length);
            System.arraycopy(bArr2, doFinal, bArr4, 0, bArr4.length);
            return new AuthenticatedCipherText(bArr3, bArr4);
        } catch (InvalidCipherTextException e) {
            throw new JOSEException("Couldn't generate GCM authentication tag for key: " + e.getMessage(), e);
        }
    }
}
