package com.tencent.kona.sun.security.ssl;

import com.tencent.kona.sun.security.ssl.CipherSuite;
import com.tencent.kona.sun.security.ssl.ClientHello;
import com.tencent.kona.sun.security.ssl.SSLHandshake;
import com.tencent.kona.sun.security.ssl.ServerHello;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import javax.net.ssl.SSLException;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPServerHello.class */
public final class TLCPServerHello {
    static final HandshakeProducer tlcpHandshakeProducer = new TLCPServerHelloProducer();
    static final HandshakeConsumer tlcpHandshakeConsumer = new TLCPServerHelloConsumer();

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPServerHello$TLCPServerHelloConsumer.class */
    private static final class TLCPServerHelloConsumer implements HandshakeConsumer {
        private TLCPServerHelloConsumer() {
        }

        @Override // com.tencent.kona.sun.security.ssl.HandshakeConsumer
        public void consume(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            ClientHandshakeContext clientHandshakeContext = (ClientHandshakeContext) connectionContext;
            ServerHello.ServerHelloMessage serverHelloMessage = (ServerHello.ServerHelloMessage) handshakeMessage;
            if (!clientHandshakeContext.isNegotiable(serverHelloMessage.serverVersion)) {
                throw clientHandshakeContext.conContext.fatal(Alert.PROTOCOL_VERSION, "Server chose " + serverHelloMessage.serverVersion + ", but that protocol version is not enabled or not supported by the client.");
            }
            clientHandshakeContext.negotiatedCipherSuite = serverHelloMessage.cipherSuite;
            clientHandshakeContext.handshakeHash.determine(clientHandshakeContext.negotiatedProtocol, clientHandshakeContext.negotiatedCipherSuite);
            clientHandshakeContext.serverHelloRandom = serverHelloMessage.serverRandom;
            if (clientHandshakeContext.negotiatedCipherSuite.keyExchange == null) {
                throw clientHandshakeContext.conContext.fatal(Alert.PROTOCOL_VERSION, "TLCP does not support the server cipher suite: " + clientHandshakeContext.negotiatedCipherSuite.name);
            }
            serverHelloMessage.extensions.consumeOnLoad(clientHandshakeContext, new SSLExtension[]{SSLExtension.SH_RENEGOTIATION_INFO});
            if (clientHandshakeContext.resumingSession != null) {
                if (!serverHelloMessage.sessionId.equals(clientHandshakeContext.resumingSession.getSessionId())) {
                    clientHandshakeContext.resumingSession.invalidate();
                    clientHandshakeContext.resumingSession = null;
                    clientHandshakeContext.isResumption = false;
                    if (!clientHandshakeContext.sslConfig.enableSessionCreation) {
                        throw clientHandshakeContext.conContext.fatal(Alert.PROTOCOL_VERSION, "New session creation is disabled");
                    }
                } else {
                    if (clientHandshakeContext.negotiatedCipherSuite != clientHandshakeContext.resumingSession.getSuite()) {
                        throw clientHandshakeContext.conContext.fatal(Alert.PROTOCOL_VERSION, "Server returned wrong cipher suite for session");
                    }
                    if (clientHandshakeContext.negotiatedProtocol != clientHandshakeContext.resumingSession.getProtocolVersion()) {
                        throw clientHandshakeContext.conContext.fatal(Alert.PROTOCOL_VERSION, "Server resumed with wrong protocol version");
                    }
                    clientHandshakeContext.isResumption = true;
                    clientHandshakeContext.resumingSession.setAsSessionResumption(true);
                    clientHandshakeContext.handshakeSession = clientHandshakeContext.resumingSession;
                }
            }
            SSLExtension[] enabledExtensions = clientHandshakeContext.sslConfig.getEnabledExtensions(SSLHandshake.SERVER_HELLO);
            serverHelloMessage.extensions.consumeOnLoad(clientHandshakeContext, enabledExtensions);
            if (!clientHandshakeContext.isResumption) {
                if (clientHandshakeContext.resumingSession != null) {
                    clientHandshakeContext.resumingSession.invalidate();
                    clientHandshakeContext.resumingSession = null;
                }
                if (!clientHandshakeContext.sslConfig.enableSessionCreation) {
                    throw clientHandshakeContext.conContext.fatal(Alert.PROTOCOL_VERSION, "New session creation is disabled");
                }
                if (serverHelloMessage.sessionId.length() == 0 && clientHandshakeContext.statelessResumption) {
                    SessionId sessionId = new SessionId(true, clientHandshakeContext.sslContext.getSecureRandom());
                    clientHandshakeContext.handshakeSession = new SSLSessionImpl(clientHandshakeContext, clientHandshakeContext.negotiatedCipherSuite, sessionId);
                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                        SSLLogger.fine("Locally assigned Session Id: " + sessionId.toString(), new Object[0]);
                    }
                } else {
                    clientHandshakeContext.handshakeSession = new SSLSessionImpl(clientHandshakeContext, clientHandshakeContext.negotiatedCipherSuite, serverHelloMessage.sessionId);
                }
                clientHandshakeContext.handshakeSession.setMaximumPacketSize(clientHandshakeContext.sslConfig.maximumPacketSize);
            }
            serverHelloMessage.extensions.consumeOnTrade(clientHandshakeContext, enabledExtensions);
            if (clientHandshakeContext.isResumption) {
                SSLTrafficKeyDerivation valueOf = SSLTrafficKeyDerivation.valueOf(clientHandshakeContext.negotiatedProtocol);
                if (valueOf == null) {
                    throw clientHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key derivation: " + clientHandshakeContext.negotiatedProtocol);
                }
                clientHandshakeContext.handshakeKeyDerivation = valueOf.createKeyDerivation(clientHandshakeContext, clientHandshakeContext.resumingSession.getMasterSecret());
                if (clientHandshakeContext.statelessResumption) {
                    clientHandshakeContext.handshakeConsumers.putIfAbsent(Byte.valueOf(SSLHandshake.NEW_SESSION_TICKET.id), SSLHandshake.NEW_SESSION_TICKET);
                }
                clientHandshakeContext.conContext.consumers.putIfAbsent(Byte.valueOf(ContentType.CHANGE_CIPHER_SPEC.id), TLCPChangeCipherSpec.tlcpConsumer);
                clientHandshakeContext.handshakeConsumers.put(Byte.valueOf(SSLHandshake.FINISHED.id), SSLHandshake.FINISHED);
                return;
            }
            SSLKeyExchange valueOf2 = SSLKeyExchange.valueOf(clientHandshakeContext.negotiatedCipherSuite.keyExchange, clientHandshakeContext.negotiatedProtocol);
            clientHandshakeContext.handshakeKeyExchange = valueOf2;
            if (valueOf2 != null) {
                for (SSLHandshake sSLHandshake : valueOf2.getRelatedHandshakers(clientHandshakeContext)) {
                    clientHandshakeContext.handshakeConsumers.put(Byte.valueOf(sSLHandshake.id), sSLHandshake);
                }
            }
            clientHandshakeContext.handshakeConsumers.put(Byte.valueOf(SSLHandshake.SERVER_HELLO_DONE.id), SSLHandshake.SERVER_HELLO_DONE);
        }
    }

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPServerHello$TLCPServerHelloProducer.class */
    private static final class TLCPServerHelloProducer implements HandshakeProducer {

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPServerHello$TLCPServerHelloProducer$KeyExchangeProperties.class */
        public static final class KeyExchangeProperties {
            final CipherSuite cipherSuite;
            final SSLKeyExchange keyExchange;
            final SSLPossession[] possessions;

            private KeyExchangeProperties(CipherSuite cipherSuite, SSLKeyExchange sSLKeyExchange, SSLPossession[] sSLPossessionArr) {
                this.cipherSuite = cipherSuite;
                this.keyExchange = sSLKeyExchange;
                this.possessions = sSLPossessionArr;
            }
        }

        private TLCPServerHelloProducer() {
        }

        @Override // com.tencent.kona.sun.security.ssl.HandshakeProducer
        public byte[] produce(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) connectionContext;
            ClientHello.ClientHelloMessage clientHelloMessage = (ClientHello.ClientHelloMessage) handshakeMessage;
            if (serverHandshakeContext.isResumption && serverHandshakeContext.resumingSession != null) {
                if (serverHandshakeContext.statelessResumption) {
                    serverHandshakeContext.resumingSession = new SSLSessionImpl(serverHandshakeContext.resumingSession, clientHelloMessage.sessionId.length() == 0 ? new SessionId(true, serverHandshakeContext.sslContext.getSecureRandom()) : new SessionId(clientHelloMessage.sessionId.getId()));
                }
                serverHandshakeContext.handshakeSession = serverHandshakeContext.resumingSession;
                serverHandshakeContext.negotiatedProtocol = serverHandshakeContext.resumingSession.getProtocolVersion();
                serverHandshakeContext.negotiatedCipherSuite = serverHandshakeContext.resumingSession.getSuite();
                serverHandshakeContext.handshakeHash.determine(serverHandshakeContext.negotiatedProtocol, serverHandshakeContext.negotiatedCipherSuite);
            } else {
                if (!serverHandshakeContext.sslConfig.enableSessionCreation) {
                    throw new SSLException("Not resumption, and no new session is allowed");
                }
                if (serverHandshakeContext.localSupportedSignAlgs == null) {
                    serverHandshakeContext.localSupportedSignAlgs = SignatureScheme.getSupportedAlgorithms(serverHandshakeContext.sslConfig, serverHandshakeContext.algorithmConstraints, serverHandshakeContext.activeProtocols);
                }
                SSLSessionImpl sSLSessionImpl = new SSLSessionImpl(serverHandshakeContext, CipherSuite.C_NULL);
                sSLSessionImpl.setMaximumPacketSize(serverHandshakeContext.sslConfig.maximumPacketSize);
                serverHandshakeContext.handshakeSession = sSLSessionImpl;
                clientHelloMessage.extensions.consumeOnTrade(serverHandshakeContext, serverHandshakeContext.sslConfig.getEnabledExtensions(SSLHandshake.CLIENT_HELLO, serverHandshakeContext.negotiatedProtocol));
                KeyExchangeProperties chooseCipherSuite = chooseCipherSuite(serverHandshakeContext, clientHelloMessage);
                if (chooseCipherSuite == null) {
                    throw serverHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "no cipher suites in common");
                }
                serverHandshakeContext.negotiatedCipherSuite = chooseCipherSuite.cipherSuite;
                serverHandshakeContext.handshakeKeyExchange = chooseCipherSuite.keyExchange;
                serverHandshakeContext.handshakeSession.setSuite(chooseCipherSuite.cipherSuite);
                serverHandshakeContext.handshakePossessions.addAll(Arrays.asList(chooseCipherSuite.possessions));
                serverHandshakeContext.handshakeHash.determine(serverHandshakeContext.negotiatedProtocol, serverHandshakeContext.negotiatedCipherSuite);
                serverHandshakeContext.stapleParams = StatusResponseManager.processStapling(serverHandshakeContext);
                serverHandshakeContext.staplingActive = serverHandshakeContext.stapleParams != null;
                SSLKeyExchange sSLKeyExchange = chooseCipherSuite.keyExchange;
                if (sSLKeyExchange != null) {
                    for (Map.Entry<Byte, HandshakeProducer> entry : sSLKeyExchange.getHandshakeProducers(serverHandshakeContext)) {
                        serverHandshakeContext.handshakeProducers.put(entry.getKey(), entry.getValue());
                    }
                }
                if (sSLKeyExchange != null && ((serverHandshakeContext.sslConfig.clientAuthType != ClientAuthType.CLIENT_AUTH_NONE || serverHandshakeContext.negotiatedCipherSuite == CipherSuite.TLCP_ECDHE_SM4_GCM_SM3 || serverHandshakeContext.negotiatedCipherSuite == CipherSuite.TLCP_ECDHE_SM4_CBC_SM3) && !serverHandshakeContext.negotiatedCipherSuite.isAnonymous())) {
                    SSLHandshake[] relatedHandshakers = sSLKeyExchange.getRelatedHandshakers(serverHandshakeContext);
                    int length = relatedHandshakers.length;
                    int i = 0;
                    while (true) {
                        if (i >= length) {
                            break;
                        }
                        if (relatedHandshakers[i] == SSLHandshake.CERTIFICATE) {
                            serverHandshakeContext.handshakeProducers.put(Byte.valueOf(SSLHandshake.CERTIFICATE_REQUEST.id), SSLHandshake.CERTIFICATE_REQUEST);
                            break;
                        }
                        i++;
                    }
                }
                serverHandshakeContext.handshakeProducers.put(Byte.valueOf(SSLHandshake.SERVER_HELLO_DONE.id), SSLHandshake.SERVER_HELLO_DONE);
            }
            ServerHello.ServerHelloMessage serverHelloMessage = new ServerHello.ServerHelloMessage(serverHandshakeContext, serverHandshakeContext.negotiatedProtocol, serverHandshakeContext.handshakeSession.getSessionId(), serverHandshakeContext.negotiatedCipherSuite, new RandomCookie(serverHandshakeContext), clientHelloMessage);
            serverHandshakeContext.serverHelloRandom = serverHelloMessage.serverRandom;
            serverHelloMessage.extensions.produce(serverHandshakeContext, serverHandshakeContext.sslConfig.getEnabledExtensions(SSLHandshake.SERVER_HELLO, serverHandshakeContext.negotiatedProtocol));
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Produced ServerHello handshake message", new Object[]{serverHelloMessage});
            }
            serverHelloMessage.write(serverHandshakeContext.handshakeOutput);
            serverHandshakeContext.handshakeOutput.flush();
            if (!serverHandshakeContext.isResumption || serverHandshakeContext.resumingSession == null) {
                return null;
            }
            SSLTrafficKeyDerivation valueOf = SSLTrafficKeyDerivation.valueOf(serverHandshakeContext.negotiatedProtocol);
            if (valueOf == null) {
                throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key derivation: " + serverHandshakeContext.negotiatedProtocol);
            }
            serverHandshakeContext.handshakeKeyDerivation = valueOf.createKeyDerivation(serverHandshakeContext, serverHandshakeContext.resumingSession.getMasterSecret());
            serverHandshakeContext.handshakeProducers.put(Byte.valueOf(SSLHandshake.FINISHED.id), SSLHandshake.FINISHED);
            return null;
        }

        private static KeyExchangeProperties chooseCipherSuite(ServerHandshakeContext serverHandshakeContext, ClientHello.ClientHelloMessage clientHelloMessage) throws IOException {
            List<CipherSuite> list;
            List<CipherSuite> list2;
            SSLPossession[] createPossessions;
            if (serverHandshakeContext.sslConfig.preferLocalCipherSuites) {
                list = serverHandshakeContext.activeCipherSuites;
                list2 = clientHelloMessage.cipherSuites;
            } else {
                list = clientHelloMessage.cipherSuites;
                list2 = serverHandshakeContext.activeCipherSuites;
            }
            for (CipherSuite cipherSuite : list) {
                if (HandshakeContext.isNegotiable(list2, serverHandshakeContext.negotiatedProtocol, cipherSuite) && (serverHandshakeContext.sslConfig.clientAuthType != ClientAuthType.CLIENT_AUTH_REQUIRED || (cipherSuite.keyExchange != CipherSuite.KeyExchange.K_DH_ANON && cipherSuite.keyExchange != CipherSuite.KeyExchange.K_ECDH_ANON))) {
                    SSLKeyExchange valueOf = SSLKeyExchange.valueOf(cipherSuite.keyExchange, serverHandshakeContext.negotiatedProtocol);
                    if (valueOf != null && (createPossessions = valueOf.createPossessions(serverHandshakeContext)) != null && createPossessions.length != 0) {
                        if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                            SSLLogger.fine("use cipher suite " + cipherSuite.name, new Object[0]);
                        }
                        return new KeyExchangeProperties(cipherSuite, valueOf, createPossessions);
                    }
                }
            }
            throw serverHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "no cipher suites in common");
        }
    }

    TLCPServerHello() {
    }
}
