package com.google.crypto.tink.hybrid.internal;

import ch.qos.logback.core.joran.action.Action;
import com.google.crypto.tink.subtle.Bytes;
import com.google.crypto.tink.subtle.SubtleUtil;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import javax.annotation.concurrent.GuardedBy;
import javax.annotation.concurrent.ThreadSafe;

@ThreadSafe
/* loaded from: classes4.dex */
public final class HpkeContext {
    public static final byte[] EMPTY_IKM = new byte[0];
    public final HpkeAead aead;
    public final byte[] baseNonce;
    public final byte[] encapsulatedKey;
    public final byte[] key;
    public final BigInteger maxSequenceNumber;

    @GuardedBy("this")
    public BigInteger sequenceNumber = BigInteger.ZERO;

    public HpkeContext(byte[] bArr, byte[] bArr2, byte[] bArr3, BigInteger bigInteger, HpkeAead hpkeAead) {
        this.encapsulatedKey = bArr;
        this.key = bArr2;
        this.baseNonce = bArr3;
        this.maxSequenceNumber = bigInteger;
        this.aead = hpkeAead;
    }

    public static HpkeContext createContext(byte[] bArr, byte[] bArr2, HpkeKem hpkeKem, HkdfHpkeKdf hkdfHpkeKdf, HpkeAead hpkeAead, byte[] bArr3) throws GeneralSecurityException {
        byte[] concat = Bytes.concat(HpkeUtil.HPKE, hpkeKem.getKemId(), hkdfHpkeKdf.getKdfId(), hpkeAead.getAeadId());
        byte[] bArr4 = HpkeUtil.EMPTY_SALT;
        byte[] bArr5 = EMPTY_IKM;
        byte[] concat2 = Bytes.concat(HpkeUtil.BASE_MODE, hkdfHpkeKdf.labeledExtract(bArr4, bArr5, "psk_id_hash", concat), hkdfHpkeKdf.labeledExtract(bArr4, bArr3, "info_hash", concat));
        byte[] labeledExtract = hkdfHpkeKdf.labeledExtract(bArr2, bArr5, "secret", concat);
        int keyLength = hpkeAead.getKeyLength();
        byte[] expand = hkdfHpkeKdf.expand(labeledExtract, HpkeUtil.labelInfo(Action.KEY_ATTRIBUTE, concat2, concat, keyLength), keyLength);
        hpkeAead.getNonceLength();
        byte[] expand2 = hkdfHpkeKdf.expand(labeledExtract, HpkeUtil.labelInfo("base_nonce", concat2, concat, 12), 12);
        hpkeAead.getNonceLength();
        BigInteger bigInteger = BigInteger.ONE;
        return new HpkeContext(bArr, expand, expand2, bigInteger.shiftLeft(96).subtract(bigInteger), hpkeAead);
    }

    public final synchronized byte[] computeNonceAndIncrementSequenceNumber() throws GeneralSecurityException {
        byte[] xor;
        byte[] bArr = this.baseNonce;
        BigInteger bigInteger = this.sequenceNumber;
        this.aead.getNonceLength();
        xor = Bytes.xor(bArr, SubtleUtil.integer2Bytes(bigInteger, 12));
        if (this.sequenceNumber.compareTo(this.maxSequenceNumber) >= 0) {
            throw new GeneralSecurityException("message limit reached");
        }
        this.sequenceNumber = this.sequenceNumber.add(BigInteger.ONE);
        return xor;
    }
}
