package com.tencent.kona.sun.security.ssl;

import com.tencent.kona.pkix.PKIXUtils;
import com.tencent.kona.sun.security.ssl.SupportedGroupsExtension;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECKey;
import java.security.interfaces.ECPublicKey;
import java.security.spec.ECParameterSpec;
import java.util.AbstractMap;
import java.util.Arrays;
import java.util.Map;
import javax.net.ssl.X509ExtendedKeyManager;

/* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPAuthentication.class */
final class TLCPAuthentication implements SSLAuthentication {
    static final TLCPAuthentication SM2 = new TLCPAuthentication("EC", "EC");
    static final TLCPAuthentication SM2E = new TLCPAuthentication("EC", "EC");
    final String keyAlgorithm;
    final String[] keyTypes;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPAuthentication$PossessionEntry.class */
    public static final class PossessionEntry {
        final PrivateKey popPrivateKey;
        final X509Certificate[] popCerts;
        final X509Certificate popCert;
        final PublicKey popPublicKey;

        PossessionEntry(PrivateKey privateKey, X509Certificate[] x509CertificateArr) {
            this.popPrivateKey = privateKey;
            this.popCerts = x509CertificateArr;
            this.popCert = x509CertificateArr[0];
            this.popPublicKey = this.popCert.getPublicKey();
        }
    }

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPAuthentication$TLCPCredentials.class */
    static final class TLCPCredentials implements SSLCredentials {
        final PublicKey popSignPublicKey;
        final X509Certificate[] popSignCerts;
        final X509Certificate popSignCert;
        final PublicKey popEncPublicKey;
        final X509Certificate[] popEncCerts;
        final X509Certificate popEncCert;

        /* JADX INFO: Access modifiers changed from: package-private */
        public TLCPCredentials(PublicKey publicKey, X509Certificate[] x509CertificateArr, PublicKey publicKey2, X509Certificate[] x509CertificateArr2) {
            this.popSignPublicKey = publicKey;
            this.popSignCerts = x509CertificateArr;
            this.popSignCert = x509CertificateArr[0];
            this.popEncPublicKey = publicKey2;
            this.popEncCerts = x509CertificateArr2;
            this.popEncCert = x509CertificateArr2[0];
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPAuthentication$TLCPPossession.class */
    public static final class TLCPPossession implements SSLPossession {
        final PrivateKey popSignPrivateKey;
        final X509Certificate[] popSignCerts;
        final X509Certificate popSignCert;
        final PublicKey popSignPublicKey;
        final PrivateKey popEncPrivateKey;
        final X509Certificate[] popEncCerts;
        final X509Certificate popEncCert;
        final PublicKey popEncPublicKey;

        /* JADX INFO: Access modifiers changed from: package-private */
        public TLCPPossession(PrivateKey privateKey, X509Certificate[] x509CertificateArr, PrivateKey privateKey2, X509Certificate[] x509CertificateArr2) {
            this.popSignPrivateKey = privateKey;
            this.popSignCerts = x509CertificateArr;
            if (x509CertificateArr == null || x509CertificateArr.length <= 0) {
                this.popSignCert = null;
                this.popSignPublicKey = null;
            } else {
                this.popSignCert = x509CertificateArr[0];
                this.popSignPublicKey = this.popSignCert.getPublicKey();
            }
            this.popEncPrivateKey = privateKey2;
            this.popEncCerts = x509CertificateArr2;
            if (x509CertificateArr2 == null || x509CertificateArr2.length <= 0) {
                this.popEncCert = null;
                this.popEncPublicKey = null;
            } else {
                this.popEncCert = x509CertificateArr2[0];
                this.popEncPublicKey = this.popEncCert.getPublicKey();
            }
        }

        TLCPPossession(PossessionEntry possessionEntry, PossessionEntry possessionEntry2) {
            this.popSignPrivateKey = possessionEntry.popPrivateKey;
            this.popSignCerts = possessionEntry.popCerts;
            this.popSignCert = possessionEntry.popCert;
            this.popSignPublicKey = possessionEntry.popPublicKey;
            this.popEncPrivateKey = possessionEntry2.popPrivateKey;
            this.popEncCerts = possessionEntry2.popCerts;
            this.popEncCert = possessionEntry2.popCert;
            this.popEncPublicKey = possessionEntry2.popPublicKey;
        }

        ECParameterSpec getECParameterSpec() {
            return getECParameterSpec(this.popSignPrivateKey, this.popSignCerts);
        }

        ECParameterSpec getECParameterSpec(PrivateKey privateKey, X509Certificate[] x509CertificateArr) {
            if (privateKey == null || !"EC".equals(privateKey.getAlgorithm())) {
                return null;
            }
            if (privateKey instanceof ECKey) {
                return ((ECKey) privateKey).getParams();
            }
            if (x509CertificateArr == null || x509CertificateArr.length == 0) {
                return null;
            }
            PublicKey publicKey = x509CertificateArr[0].getPublicKey();
            if (publicKey instanceof ECKey) {
                return ((ECKey) publicKey).getParams();
            }
            return null;
        }
    }

    TLCPAuthentication(String str, String... strArr) {
        this.keyAlgorithm = str;
        this.keyTypes = strArr;
    }

    static TLCPAuthentication valueOf(SignatureScheme signatureScheme) {
        if (signatureScheme == SignatureScheme.SM2SIG_SM3) {
            return SM2;
        }
        return null;
    }

    @Override // com.tencent.kona.sun.security.ssl.SSLPossessionGenerator
    public SSLPossession createPossession(HandshakeContext handshakeContext) {
        return createPossession(handshakeContext, this.keyTypes);
    }

    @Override // com.tencent.kona.sun.security.ssl.SSLHandshakeBinding
    public SSLHandshake[] getRelatedHandshakers(HandshakeContext handshakeContext) {
        return handshakeContext.negotiatedProtocol.isTLCP11() ? new SSLHandshake[]{SSLHandshake.CERTIFICATE, SSLHandshake.CERTIFICATE_REQUEST} : new SSLHandshake[0];
    }

    @Override // com.tencent.kona.sun.security.ssl.SSLHandshakeBinding
    public Map.Entry<Byte, HandshakeProducer>[] getHandshakeProducers(HandshakeContext handshakeContext) {
        return handshakeContext.negotiatedProtocol.isTLCP11() ? new Map.Entry[]{new AbstractMap.SimpleImmutableEntry(Byte.valueOf(SSLHandshake.CERTIFICATE.id), SSLHandshake.CERTIFICATE)} : new Map.Entry[0];
    }

    public static SSLPossession createPossession(HandshakeContext handshakeContext, String[] strArr) {
        return handshakeContext.sslConfig.isClientMode ? createClientPossession((ClientHandshakeContext) handshakeContext, strArr) : createServerPossession((ServerHandshakeContext) handshakeContext, strArr);
    }

    private static SSLPossession createClientPossession(ClientHandshakeContext clientHandshakeContext, String[] strArr) {
        X509ExtendedKeyManager x509KeyManager = clientHandshakeContext.sslContext.getX509KeyManager();
        for (String str : strArr) {
            String[] clientAliases = x509KeyManager.getClientAliases(str, clientHandshakeContext.peerSupportedAuthorities == null ? null : (Principal[]) clientHandshakeContext.peerSupportedAuthorities.clone());
            if (clientAliases == null || clientAliases.length == 0) {
                if (!SSLLogger.isOn || !SSLLogger.isOn("ssl")) {
                    return null;
                }
                SSLLogger.finest("No X.509 cert selected for " + Arrays.toString(strArr), new Object[0]);
                return null;
            }
            PossessionEntry possessionEntry = null;
            PossessionEntry possessionEntry2 = null;
            int length = clientAliases.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                PossessionEntry clientPossEntry = clientPossEntry(clientHandshakeContext, str, x509KeyManager, clientAliases[i]);
                if (clientPossEntry != null) {
                    if (possessionEntry != null || !PKIXUtils.isSignCert(clientPossEntry.popCert)) {
                        if (PKIXUtils.isEncCert(clientPossEntry.popCert)) {
                            possessionEntry2 = clientPossEntry;
                            break;
                        }
                    } else {
                        possessionEntry = clientPossEntry;
                    }
                }
                i++;
            }
            TLCPPossession createPossession = createPossession(possessionEntry, possessionEntry2);
            if (createPossession != null) {
                return createPossession;
            }
        }
        return null;
    }

    private static PossessionEntry clientPossEntry(ClientHandshakeContext clientHandshakeContext, String str, X509ExtendedKeyManager x509ExtendedKeyManager, String str2) {
        PrivateKey privateKey = x509ExtendedKeyManager.getPrivateKey(str2);
        if (privateKey == null) {
            if (!SSLLogger.isOn || !SSLLogger.isOn("ssl")) {
                return null;
            }
            SSLLogger.finest(str2 + " is not a private key entry", new Object[0]);
            return null;
        }
        X509Certificate[] certificateChain = x509ExtendedKeyManager.getCertificateChain(str2);
        if (certificateChain == null || certificateChain.length == 0) {
            if (!SSLLogger.isOn || !SSLLogger.isOn("ssl")) {
                return null;
            }
            SSLLogger.finest(str2 + " is a private key entry with no cert chain stored", new Object[0]);
            return null;
        }
        String algorithm = privateKey.getAlgorithm();
        if (!Arrays.asList(str).contains(algorithm)) {
            if (!SSLLogger.isOn || !SSLLogger.isOn("ssl")) {
                return null;
            }
            SSLLogger.fine(str2 + " private key algorithm " + algorithm + " not in request list", new Object[0]);
            return null;
        }
        PublicKey publicKey = certificateChain[0].getPublicKey();
        String algorithm2 = publicKey.getAlgorithm();
        if (algorithm.equals(algorithm2)) {
            if (checkPublicKey(str2, publicKey, clientHandshakeContext)) {
                return new PossessionEntry(privateKey, certificateChain);
            }
            return null;
        }
        if (!SSLLogger.isOn || !SSLLogger.isOn("ssl")) {
            return null;
        }
        SSLLogger.fine(str2 + " private or public key is not of same algorithm: " + algorithm + " vs " + algorithm2, new Object[0]);
        return null;
    }

    private static SSLPossession createServerPossession(ServerHandshakeContext serverHandshakeContext, String[] strArr) {
        X509ExtendedKeyManager x509KeyManager = serverHandshakeContext.sslContext.getX509KeyManager();
        for (String str : strArr) {
            String[] serverAliases = x509KeyManager.getServerAliases(str, serverHandshakeContext.peerSupportedAuthorities == null ? null : (Principal[]) serverHandshakeContext.peerSupportedAuthorities.clone());
            if (serverAliases != null && serverAliases.length != 0) {
                PossessionEntry possessionEntry = null;
                PossessionEntry possessionEntry2 = null;
                int length = serverAliases.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    PossessionEntry serverPossEntry = serverPossEntry(serverHandshakeContext, str, x509KeyManager, serverAliases[i]);
                    if (serverPossEntry != null) {
                        if (possessionEntry != null || !PKIXUtils.isSignCert(serverPossEntry.popCert)) {
                            if (PKIXUtils.isEncCert(serverPossEntry.popCert)) {
                                possessionEntry2 = serverPossEntry;
                                break;
                            }
                        } else {
                            possessionEntry = serverPossEntry;
                        }
                    }
                    i++;
                }
                TLCPPossession createPossession = createPossession(possessionEntry, possessionEntry2);
                if (createPossession != null) {
                    return createPossession;
                }
            } else if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
                SSLLogger.finest("No X.509 cert selected for " + str, new Object[0]);
            }
        }
        return null;
    }

    private static TLCPPossession createPossession(PossessionEntry possessionEntry, PossessionEntry possessionEntry2) {
        if (possessionEntry == null) {
            if (!SSLLogger.isOn || !SSLLogger.isOn("ssl")) {
                return null;
            }
            SSLLogger.warning("No X.509 sign cert selected", new Object[0]);
            return null;
        }
        if (possessionEntry2 == null && PKIXUtils.isEncCert(possessionEntry.popCert)) {
            possessionEntry2 = possessionEntry;
        }
        if (possessionEntry2 != null) {
            return new TLCPPossession(possessionEntry, possessionEntry2);
        }
        if (!SSLLogger.isOn || !SSLLogger.isOn("ssl")) {
            return null;
        }
        SSLLogger.warning("No X.509 enc cert selected", new Object[0]);
        return null;
    }

    private static PossessionEntry serverPossEntry(ServerHandshakeContext serverHandshakeContext, String str, X509ExtendedKeyManager x509ExtendedKeyManager, String str2) {
        PrivateKey privateKey = x509ExtendedKeyManager.getPrivateKey(str2);
        if (privateKey == null) {
            if (!SSLLogger.isOn || !SSLLogger.isOn("ssl")) {
                return null;
            }
            SSLLogger.finest(str2 + " is not a private key entry", new Object[0]);
            return null;
        }
        X509Certificate[] certificateChain = x509ExtendedKeyManager.getCertificateChain(str2);
        if (certificateChain == null || certificateChain.length == 0) {
            if (!SSLLogger.isOn || !SSLLogger.isOn("ssl")) {
                return null;
            }
            SSLLogger.finest(str2 + " is not a certificate entry", new Object[0]);
            return null;
        }
        PublicKey publicKey = certificateChain[0].getPublicKey();
        if (privateKey.getAlgorithm().equals(str) && publicKey.getAlgorithm().equals(str)) {
            if (serverHandshakeContext.negotiatedProtocol.useTLS13PlusSpec() || !str.equals("EC") || checkPublicKey(str2, publicKey, serverHandshakeContext)) {
                return new PossessionEntry(privateKey, certificateChain);
            }
            return null;
        }
        if (!SSLLogger.isOn || !SSLLogger.isOn("ssl")) {
            return null;
        }
        SSLLogger.fine(str2 + " private or public key is not of " + str + " algorithm", new Object[0]);
        return null;
    }

    private static boolean checkPublicKey(String str, PublicKey publicKey, HandshakeContext handshakeContext) {
        if (!(publicKey instanceof ECPublicKey)) {
            if (!SSLLogger.isOn || !SSLLogger.isOn("ssl")) {
                return false;
            }
            SSLLogger.warning(str + " public key is not an instance of ECPublicKey", new Object[0]);
            return false;
        }
        NamedGroup valueOf = NamedGroup.valueOf(((ECPublicKey) publicKey).getParams());
        if (valueOf == NamedGroup.CURVESM2 && SupportedGroupsExtension.SupportedGroups.isSupported(valueOf) && (handshakeContext.clientRequestedNamedGroups == null || handshakeContext.clientRequestedNamedGroups.contains(valueOf))) {
            return true;
        }
        if (!SSLLogger.isOn || !SSLLogger.isOn("ssl")) {
            return false;
        }
        SSLLogger.warning("Unsupported named group (" + valueOf + ") used in the " + str + " certificate", new Object[0]);
        return false;
    }
}
