package com.tencent.kona.sun.security.ssl;

import com.tencent.kona.crypto.CryptoInsts;
import com.tencent.kona.crypto.spec.SM2SignatureParameterSpec;
import com.tencent.kona.crypto.util.Constants;
import com.tencent.kona.sun.security.ssl.SSLHandshake;
import com.tencent.kona.sun.security.ssl.TLCPAuthentication;
import com.tencent.kona.sun.security.util.HexDumpEncoder;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.text.MessageFormat;
import java.util.Iterator;
import java.util.Locale;

/* loaded from: input_file:com/tencent/kona/sun/security/ssl/SM2ServerKeyExchange.class */
final class SM2ServerKeyExchange {
    static final SSLConsumer sm2HandshakeConsumer = new SM2ServerKeyExchangeConsumer();
    static final HandshakeProducer sm2HandshakeProducer = new SM2ServerKeyExchangeProducer();

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/SM2ServerKeyExchange$SM2ServerKeyExchangeConsumer.class */
    private static final class SM2ServerKeyExchangeConsumer implements SSLConsumer {
        private SM2ServerKeyExchangeConsumer() {
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLConsumer
        public void consume(ConnectionContext connectionContext, ByteBuffer byteBuffer) throws IOException {
            SM2ServerKeyExchangeMessage sM2ServerKeyExchangeMessage = new SM2ServerKeyExchangeMessage((ClientHandshakeContext) connectionContext, byteBuffer);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Consuming SM2 ServerKeyExchange handshake message", new Object[]{sM2ServerKeyExchangeMessage});
            }
        }
    }

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/SM2ServerKeyExchange$SM2ServerKeyExchangeMessage.class */
    private static final class SM2ServerKeyExchangeMessage extends SSLHandshake.HandshakeMessage {
        private final byte[] paramsSignature;
        private final boolean useExplicitSigAlgorithm;
        private final SignatureScheme signatureScheme;

        SM2ServerKeyExchangeMessage(HandshakeContext handshakeContext) throws IOException {
            super(handshakeContext);
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) handshakeContext;
            TLCPAuthentication.TLCPPossession tLCPPossession = null;
            Iterator<SSLPossession> it = serverHandshakeContext.handshakePossessions.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SSLPossession next = it.next();
                if (next instanceof TLCPAuthentication.TLCPPossession) {
                    tLCPPossession = (TLCPAuthentication.TLCPPossession) next;
                    break;
                }
            }
            if (tLCPPossession == null) {
                throw serverHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "No SM2 credentials negotiated for server key exchange");
            }
            this.useExplicitSigAlgorithm = serverHandshakeContext.negotiatedProtocol.useTLS12PlusSpec();
            if (!this.useExplicitSigAlgorithm) {
                this.signatureScheme = null;
            } else {
                if (serverHandshakeContext.peerRequestedSignatureSchemes == null || !serverHandshakeContext.peerRequestedSignatureSchemes.contains(SignatureScheme.SM2SIG_SM3)) {
                    throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "No supported signature algorithm for " + tLCPPossession.popSignPrivateKey.getAlgorithm() + " key");
                }
                this.signatureScheme = SignatureScheme.SM2SIG_SM3;
            }
            try {
                Signature signature = CryptoInsts.getSignature(SignatureScheme.SM2SIG_SM3.algorithm);
                signature.setParameter(new SM2SignatureParameterSpec(Constants.defaultId(), (ECPublicKey) tLCPPossession.popSignPublicKey));
                signature.initSign(tLCPPossession.popSignPrivateKey);
                updateSignature(signature, serverHandshakeContext.clientHelloRandom.randomBytes, serverHandshakeContext.serverHelloRandom.randomBytes, tLCPPossession.popEncCert);
                this.paramsSignature = signature.sign();
            } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | SignatureException | CertificateEncodingException e) {
                throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Failed to sign SM2 parameters: " + tLCPPossession.popSignPrivateKey.getAlgorithm(), e);
            }
        }

        SM2ServerKeyExchangeMessage(HandshakeContext handshakeContext, ByteBuffer byteBuffer) throws IOException {
            super(handshakeContext);
            ClientHandshakeContext clientHandshakeContext = (ClientHandshakeContext) handshakeContext;
            TLCPAuthentication.TLCPCredentials tLCPCredentials = null;
            Iterator<SSLCredentials> it = clientHandshakeContext.handshakeCredentials.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SSLCredentials next = it.next();
                if (next instanceof TLCPAuthentication.TLCPCredentials) {
                    tLCPCredentials = (TLCPAuthentication.TLCPCredentials) next;
                    break;
                }
            }
            if (tLCPCredentials == null) {
                throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "No SM2 credentials negotiated for server key exchange");
            }
            this.useExplicitSigAlgorithm = clientHandshakeContext.negotiatedProtocol.useTLS12PlusSpec();
            if (this.useExplicitSigAlgorithm) {
                int int16 = Record.getInt16(byteBuffer);
                this.signatureScheme = SignatureScheme.valueOf(int16);
                if (this.signatureScheme == null) {
                    throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid signature algorithm (" + int16 + ") used in SM2 ServerKeyExchange handshake message");
                }
                if (!clientHandshakeContext.localSupportedSignAlgs.contains(this.signatureScheme)) {
                    throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Unsupported signature algorithm (" + this.signatureScheme.name + ") used in SM2 ServerKeyExchange handshake message");
                }
            } else {
                this.signatureScheme = null;
            }
            this.paramsSignature = Record.getBytes16(byteBuffer);
            try {
                Signature signature = CryptoInsts.getSignature(SignatureScheme.SM2SIG_SM3.algorithm);
                signature.setParameter(new SM2SignatureParameterSpec(Constants.defaultId(), (ECPublicKey) tLCPCredentials.popSignCert.getPublicKey()));
                signature.initVerify(tLCPCredentials.popSignPublicKey);
                updateSignature(signature, clientHandshakeContext.clientHelloRandom.randomBytes, clientHandshakeContext.serverHelloRandom.randomBytes, tLCPCredentials.popEncCert);
                if (signature.verify(this.paramsSignature)) {
                } else {
                    throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid SM2 ServerKeyExchange signature");
                }
            } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | SignatureException | CertificateEncodingException e) {
                throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Cannot verify SM2 ServerKeyExchange signature", e);
            }
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLHandshake.HandshakeMessage
        public SSLHandshake handshakeType() {
            return SSLHandshake.SERVER_KEY_EXCHANGE;
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLHandshake.HandshakeMessage
        public int messageLength() {
            int length = 2 + this.paramsSignature.length;
            if (this.useExplicitSigAlgorithm) {
                length += SignatureScheme.sizeInRecord();
            }
            return length;
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLHandshake.HandshakeMessage
        public void send(HandshakeOutStream handshakeOutStream) throws IOException {
            if (this.useExplicitSigAlgorithm) {
                handshakeOutStream.putInt16(this.signatureScheme.id);
            }
            handshakeOutStream.putBytes16(this.paramsSignature);
        }

        public String toString() {
            return this.useExplicitSigAlgorithm ? new MessageFormat("\"SM2E ServerKeyExchange\": '{'\n  \"digital signature\":  '{'\n    \"signature algorithm\": \"{0}\"\n    \"signature\": '{'\n{1}\n    '}',\n  '}'\n'}'", Locale.ENGLISH).format(new Object[]{this.signatureScheme.name, Utilities.indent(new HexDumpEncoder().encodeBuffer(this.paramsSignature), "      ")}) : new MessageFormat("\"SM2 ServerKeyExchange\": '{'\n  \"digital signature\":  '{'\n    \"signature\": '{'\n{0}\n    '}',\n  '}'\n'}'", Locale.ENGLISH).format(new Object[]{Utilities.indent(new HexDumpEncoder().encodeBuffer(this.paramsSignature), "      ")});
        }

        private static void updateSignature(Signature signature, byte[] bArr, byte[] bArr2, X509Certificate x509Certificate) throws SignatureException, CertificateEncodingException {
            signature.update(bArr);
            signature.update(bArr2);
            byte[] encoded = x509Certificate.getEncoded();
            int length = encoded.length;
            signature.update((byte) ((length >> 16) & 255));
            signature.update((byte) ((length >> 8) & 255));
            signature.update((byte) (length & 255));
            signature.update(encoded);
        }
    }

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/SM2ServerKeyExchange$SM2ServerKeyExchangeProducer.class */
    private static final class SM2ServerKeyExchangeProducer implements HandshakeProducer {
        private SM2ServerKeyExchangeProducer() {
        }

        @Override // com.tencent.kona.sun.security.ssl.HandshakeProducer
        public byte[] produce(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) connectionContext;
            SM2ServerKeyExchangeMessage sM2ServerKeyExchangeMessage = new SM2ServerKeyExchangeMessage(serverHandshakeContext);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Produced SM2 ServerKeyExchange handshake message", new Object[]{sM2ServerKeyExchangeMessage});
            }
            sM2ServerKeyExchangeMessage.write(serverHandshakeContext.handshakeOutput);
            serverHandshakeContext.handshakeOutput.flush();
            return null;
        }
    }

    SM2ServerKeyExchange() {
    }
}
