package com.tencent.kona.sun.security.ssl;

import com.tencent.kona.crypto.spec.SM2ParameterSpec;
import com.tencent.kona.sun.security.ssl.SM2KeyExchange;
import com.tencent.kona.sun.security.ssl.SSLHandshake;
import com.tencent.kona.sun.security.ssl.TLCPAuthentication;
import com.tencent.kona.sun.security.util.HexDumpEncoder;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.interfaces.ECPublicKey;
import java.text.MessageFormat;
import java.util.Iterator;
import java.util.Locale;
import javax.crypto.SecretKey;

/* loaded from: input_file:com/tencent/kona/sun/security/ssl/SM2ClientKeyExchange.class */
final class SM2ClientKeyExchange {
    static final SSLConsumer sm2HandshakeConsumer = new SM2ClientKeyExchangeConsumer();
    static final HandshakeProducer sm2HandshakeProducer = new SM2ClientKeyExchangeProducer();

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/SM2ClientKeyExchange$SM2ClientKeyExchangeConsumer.class */
    private static final class SM2ClientKeyExchangeConsumer implements SSLConsumer {
        private SM2ClientKeyExchangeConsumer() {
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLConsumer
        public void consume(ConnectionContext connectionContext, ByteBuffer byteBuffer) throws IOException {
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) connectionContext;
            TLCPAuthentication.TLCPPossession tLCPPossession = null;
            Iterator<SSLPossession> it = serverHandshakeContext.handshakePossessions.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SSLPossession next = it.next();
                if (next instanceof TLCPAuthentication.TLCPPossession) {
                    tLCPPossession = (TLCPAuthentication.TLCPPossession) next;
                    break;
                }
            }
            if (tLCPPossession == null) {
                throw serverHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "No SM2 possessions negotiated for client key exchange");
            }
            PrivateKey privateKey = tLCPPossession.popEncPrivateKey;
            if (!privateKey.getAlgorithm().equals("EC")) {
                throw serverHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Not SM2 private key for client key exchange");
            }
            SM2ClientKeyExchangeMessage sM2ClientKeyExchangeMessage = new SM2ClientKeyExchangeMessage(serverHandshakeContext, byteBuffer);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Consuming SM2 ClientKeyExchange handshake message", new Object[]{sM2ClientKeyExchangeMessage});
            }
            try {
                serverHandshakeContext.handshakeCredentials.add(SM2KeyExchange.SM2PremasterSecret.decode(serverHandshakeContext, privateKey, sM2ClientKeyExchangeMessage.encrypted));
                SSLKeyExchange valueOf = SSLKeyExchange.valueOf(serverHandshakeContext.negotiatedCipherSuite.keyExchange, serverHandshakeContext.negotiatedProtocol);
                if (valueOf == null) {
                    throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key exchange type");
                }
                SecretKey deriveKey = valueOf.createKeyDerivation(serverHandshakeContext).deriveKey("MasterSecret", null);
                serverHandshakeContext.handshakeSession.setMasterSecret(deriveKey);
                SSLTrafficKeyDerivation valueOf2 = SSLTrafficKeyDerivation.valueOf(serverHandshakeContext.negotiatedProtocol);
                if (valueOf2 == null) {
                    throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key derivation: " + serverHandshakeContext.negotiatedProtocol);
                }
                serverHandshakeContext.handshakeKeyDerivation = valueOf2.createKeyDerivation(serverHandshakeContext, deriveKey);
            } catch (GeneralSecurityException e) {
                throw serverHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Cannot decode SM2 premaster secret", e);
            }
        }
    }

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/SM2ClientKeyExchange$SM2ClientKeyExchangeMessage.class */
    private static final class SM2ClientKeyExchangeMessage extends SSLHandshake.HandshakeMessage {
        final int protocolVersion;
        final byte[] encrypted;

        SM2ClientKeyExchangeMessage(HandshakeContext handshakeContext, SM2KeyExchange.SM2PremasterSecret sM2PremasterSecret, PublicKey publicKey) throws GeneralSecurityException {
            super(handshakeContext);
            this.protocolVersion = handshakeContext.clientHelloVersion;
            this.encrypted = sM2PremasterSecret.getEncoded(publicKey, handshakeContext.sslContext.getSecureRandom());
        }

        SM2ClientKeyExchangeMessage(HandshakeContext handshakeContext, ByteBuffer byteBuffer) throws IOException {
            super(handshakeContext);
            if (byteBuffer.remaining() < 2) {
                throw handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid SM2 ClientKeyExchange message: insufficient data");
            }
            this.protocolVersion = handshakeContext.clientHelloVersion;
            this.encrypted = Record.getBytes16(byteBuffer);
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLHandshake.HandshakeMessage
        public SSLHandshake handshakeType() {
            return SSLHandshake.CLIENT_KEY_EXCHANGE;
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLHandshake.HandshakeMessage
        public int messageLength() {
            return this.encrypted.length + 2;
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLHandshake.HandshakeMessage
        public void send(HandshakeOutStream handshakeOutStream) throws IOException {
            handshakeOutStream.putBytes16(this.encrypted);
        }

        public String toString() {
            return new MessageFormat("\"SM2 ClientKeyExchange\": '{'\n  \"client_version\":  {0}\n  \"encncrypted\": '{'\n{1}\n  '}'\n'}'", Locale.ENGLISH).format(new Object[]{ProtocolVersion.nameOf(this.protocolVersion), Utilities.indent(new HexDumpEncoder().encodeBuffer(this.encrypted), "    ")});
        }
    }

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/SM2ClientKeyExchange$SM2ClientKeyExchangeProducer.class */
    private static final class SM2ClientKeyExchangeProducer implements HandshakeProducer {
        private SM2ClientKeyExchangeProducer() {
        }

        @Override // com.tencent.kona.sun.security.ssl.HandshakeProducer
        public byte[] produce(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            ClientHandshakeContext clientHandshakeContext = (ClientHandshakeContext) connectionContext;
            TLCPAuthentication.TLCPCredentials tLCPCredentials = null;
            Iterator<SSLCredentials> it = clientHandshakeContext.handshakeCredentials.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SSLCredentials next = it.next();
                if (next instanceof TLCPAuthentication.TLCPCredentials) {
                    tLCPCredentials = (TLCPAuthentication.TLCPCredentials) next;
                    break;
                }
            }
            if (tLCPCredentials == null) {
                throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "No SM2 credentials negotiated for client key exchange");
            }
            ECPublicKey eCPublicKey = (ECPublicKey) tLCPCredentials.popEncPublicKey;
            if (!eCPublicKey.getAlgorithm().equals("EC") || (eCPublicKey.getParams() instanceof SM2ParameterSpec)) {
                throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Not SM2 public key for client key exchange");
            }
            try {
                SM2KeyExchange.SM2PremasterSecret createPremasterSecret = SM2KeyExchange.SM2PremasterSecret.createPremasterSecret(clientHandshakeContext);
                clientHandshakeContext.handshakePossessions.add(createPremasterSecret);
                SM2ClientKeyExchangeMessage sM2ClientKeyExchangeMessage = new SM2ClientKeyExchangeMessage(clientHandshakeContext, createPremasterSecret, eCPublicKey);
                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                    SSLLogger.fine("Produced SM2 ClientKeyExchange handshake message", new Object[]{sM2ClientKeyExchangeMessage});
                }
                sM2ClientKeyExchangeMessage.write(clientHandshakeContext.handshakeOutput);
                clientHandshakeContext.handshakeOutput.flush();
                SSLKeyExchange valueOf = SSLKeyExchange.valueOf(clientHandshakeContext.negotiatedCipherSuite.keyExchange, clientHandshakeContext.negotiatedProtocol);
                if (valueOf == null) {
                    throw clientHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key exchange type");
                }
                SecretKey deriveKey = valueOf.createKeyDerivation(clientHandshakeContext).deriveKey("MasterSecret", null);
                clientHandshakeContext.handshakeSession.setMasterSecret(deriveKey);
                SSLTrafficKeyDerivation valueOf2 = SSLTrafficKeyDerivation.valueOf(clientHandshakeContext.negotiatedProtocol);
                if (valueOf2 == null) {
                    throw clientHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key derivation: " + clientHandshakeContext.negotiatedProtocol);
                }
                clientHandshakeContext.handshakeKeyDerivation = valueOf2.createKeyDerivation(clientHandshakeContext, deriveKey);
                return null;
            } catch (GeneralSecurityException e) {
                throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Cannot generate SM2 premaster secret", e);
            }
        }
    }

    SM2ClientKeyExchange() {
    }
}
