package com.tencent.kona.sun.security.ssl;

import com.tencent.kona.crypto.CryptoInsts;
import com.tencent.kona.crypto.spec.SM2KeyAgreementParamSpec;
import com.tencent.kona.sun.security.ssl.NamedGroup;
import com.tencent.kona.sun.security.ssl.TLCPAuthentication;
import com.tencent.kona.sun.security.util.ECUtil;
import java.io.IOException;
import java.security.AlgorithmConstraints;
import java.security.CryptoPrimitive;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPublicKeySpec;
import java.util.EnumSet;
import java.util.Iterator;
import javax.crypto.KeyAgreement;
import javax.crypto.SecretKey;
import javax.net.ssl.SSLHandshakeException;

/* loaded from: input_file:com/tencent/kona/sun/security/ssl/SM2EKeyExchange.class */
public class SM2EKeyExchange {
    static final SSLPossessionGenerator sm2ePoGenerator = new SM2EPossessionGenerator();
    static final SSLKeyAgreementGenerator sm2eKAGenerator = new SM2EKAGenerator();

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/SM2EKeyExchange$SM2ECredentials.class */
    static final class SM2ECredentials implements NamedGroupCredentials {
        final ECPublicKey ephemeralPublicKey;
        final NamedGroup namedGroup;

        /* JADX INFO: Access modifiers changed from: package-private */
        public SM2ECredentials(ECPublicKey eCPublicKey, NamedGroup namedGroup) {
            this.ephemeralPublicKey = eCPublicKey;
            this.namedGroup = namedGroup;
        }

        @Override // com.tencent.kona.sun.security.ssl.NamedGroupCredentials
        public PublicKey getPublicKey() {
            return this.ephemeralPublicKey;
        }

        @Override // com.tencent.kona.sun.security.ssl.NamedGroupCredentials
        public NamedGroup getNamedGroup() {
            return this.namedGroup;
        }

        static SM2ECredentials valueOf(NamedGroup namedGroup, byte[] bArr) throws IOException, GeneralSecurityException {
            if (namedGroup != NamedGroup.CURVESM2) {
                throw new RuntimeException("Credentials decoding: Not named group curveSM2");
            }
            if (bArr == null || bArr.length == 0) {
                return null;
            }
            ECParameterSpec eCParameterSpec = (ECParameterSpec) namedGroup.keAlgParamSpec;
            return new SM2ECredentials((ECPublicKey) CryptoInsts.getKeyFactory("SM2").generatePublic(new ECPublicKeySpec(ECUtil.decodePoint(bArr, eCParameterSpec.getCurve()), eCParameterSpec)), namedGroup);
        }
    }

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/SM2EKeyExchange$SM2EKAGenerator.class */
    private static final class SM2EKAGenerator implements SSLKeyAgreementGenerator {
        private SM2EKAGenerator() {
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLKeyAgreementGenerator
        public SSLKeyDerivation createKeyDerivation(HandshakeContext handshakeContext) throws IOException {
            SM2EPossession sM2EPossession = null;
            SM2ECredentials sM2ECredentials = null;
            Iterator<SSLPossession> it = handshakeContext.handshakePossessions.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SSLPossession next = it.next();
                if (next instanceof SM2EPossession) {
                    NamedGroup namedGroup = ((SM2EPossession) next).namedGroup;
                    Iterator<SSLCredentials> it2 = handshakeContext.handshakeCredentials.iterator();
                    while (true) {
                        if (!it2.hasNext()) {
                            break;
                        }
                        SSLCredentials next2 = it2.next();
                        if ((next2 instanceof SM2ECredentials) && namedGroup.equals(((SM2ECredentials) next2).namedGroup)) {
                            sM2ECredentials = (SM2ECredentials) next2;
                            break;
                        }
                    }
                    if (sM2ECredentials != null) {
                        sM2EPossession = (SM2EPossession) next;
                        break;
                    }
                }
            }
            if (sM2EPossession == null || sM2ECredentials == null) {
                throw handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "No sufficient SM2 key agreement parameters negotiated");
            }
            return new SM2KAKeyDerivation("SM2", handshakeContext, sM2EPossession.ephemeralPrivateKey, sM2ECredentials.ephemeralPublicKey);
        }
    }

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/SM2EKeyExchange$SM2EPossession.class */
    static final class SM2EPossession implements NamedGroupPossession {
        final ECPrivateKey ephemeralPrivateKey;
        final ECPublicKey ephemeralPublicKey;
        final ECPrivateKey popEncPrivateKey;
        final ECPublicKey popEncPublicKey;
        final NamedGroup namedGroup;

        /* JADX INFO: Access modifiers changed from: package-private */
        public SM2EPossession(TLCPAuthentication.TLCPPossession tLCPPossession, NamedGroup namedGroup, SecureRandom secureRandom) {
            try {
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC");
                keyPairGenerator.initialize(namedGroup.keAlgParamSpec, secureRandom);
                KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
                this.ephemeralPrivateKey = (ECPrivateKey) generateKeyPair.getPrivate();
                this.ephemeralPublicKey = (ECPublicKey) generateKeyPair.getPublic();
                this.popEncPrivateKey = (ECPrivateKey) tLCPPossession.popEncPrivateKey;
                this.popEncPublicKey = (ECPublicKey) tLCPPossession.popEncPublicKey;
                this.namedGroup = namedGroup;
            } catch (GeneralSecurityException e) {
                throw new RuntimeException("Could not generate SM2 keypair", e);
            }
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLPossession
        public byte[] encode() {
            return ECUtil.encodePoint(this.ephemeralPublicKey.getW(), this.ephemeralPublicKey.getParams().getCurve());
        }

        SecretKey getAgreedSecret(ECPublicKey eCPublicKey, boolean z) throws SSLHandshakeException {
            try {
                AlgorithmParameterSpec sM2KeyAgreementParamSpec = new SM2KeyAgreementParamSpec(this.popEncPrivateKey, this.popEncPublicKey, eCPublicKey, z, 32);
                KeyAgreement keyAgreement = CryptoInsts.getKeyAgreement("SM2");
                keyAgreement.init(this.ephemeralPrivateKey, sM2KeyAgreementParamSpec);
                keyAgreement.doPhase(eCPublicKey, true);
                return keyAgreement.generateSecret("TlsPremasterSecret");
            } catch (GeneralSecurityException e) {
                throw ((SSLHandshakeException) new SSLHandshakeException("Could not generate secret").initCause(e));
            }
        }

        SecretKey getAgreedSecret(byte[] bArr, boolean z) throws SSLHandshakeException {
            try {
                ECParameterSpec params = this.ephemeralPublicKey.getParams();
                return getAgreedSecret((ECPublicKey) CryptoInsts.getKeyFactory("SM2").generatePublic(new ECPublicKeySpec(ECUtil.decodePoint(bArr, params.getCurve()), params)), z);
            } catch (IOException | GeneralSecurityException e) {
                throw ((SSLHandshakeException) new SSLHandshakeException("Could not generate secret").initCause(e));
            }
        }

        void checkConstraints(AlgorithmConstraints algorithmConstraints, byte[] bArr) throws SSLHandshakeException {
            try {
                ECParameterSpec params = this.ephemeralPublicKey.getParams();
                if (algorithmConstraints.permits(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), (ECPublicKey) CryptoInsts.getKeyFactory("SM2").generatePublic(new ECPublicKeySpec(ECUtil.decodePoint(bArr, params.getCurve()), params)))) {
                } else {
                    throw new SSLHandshakeException("ECPublicKey does not comply to algorithm constraints");
                }
            } catch (IOException | GeneralSecurityException e) {
                throw ((SSLHandshakeException) new SSLHandshakeException("Could not generate ECPublicKey").initCause(e));
            }
        }

        @Override // com.tencent.kona.sun.security.ssl.NamedGroupPossession
        public PublicKey getPublicKey() {
            return this.ephemeralPublicKey;
        }

        @Override // com.tencent.kona.sun.security.ssl.NamedGroupPossession
        public NamedGroup getNamedGroup() {
            return this.namedGroup;
        }

        @Override // com.tencent.kona.sun.security.ssl.NamedGroupPossession
        public PrivateKey getPrivateKey() {
            return this.ephemeralPrivateKey;
        }
    }

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/SM2EKeyExchange$SM2EPossessionGenerator.class */
    private static final class SM2EPossessionGenerator implements SSLPossessionGenerator {
        private SM2EPossessionGenerator() {
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLPossessionGenerator
        public SSLPossession createPossession(HandshakeContext handshakeContext) {
            NamedGroup preferredGroup = (handshakeContext.clientRequestedNamedGroups == null || handshakeContext.clientRequestedNamedGroups.isEmpty()) ? NamedGroup.getPreferredGroup(handshakeContext.sslConfig, handshakeContext.negotiatedProtocol, handshakeContext.algorithmConstraints, new NamedGroup.NamedGroupSpec[]{NamedGroup.NamedGroupSpec.NAMED_GROUP_ECDHE}) : NamedGroup.getPreferredGroup(handshakeContext.sslConfig, handshakeContext.negotiatedProtocol, handshakeContext.algorithmConstraints, new NamedGroup.NamedGroupSpec[]{NamedGroup.NamedGroupSpec.NAMED_GROUP_ECDHE}, handshakeContext.clientRequestedNamedGroups);
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) handshakeContext;
            TLCPAuthentication.TLCPPossession tLCPPossession = null;
            if (serverHandshakeContext.interimAuthn instanceof TLCPAuthentication.TLCPPossession) {
                tLCPPossession = (TLCPAuthentication.TLCPPossession) serverHandshakeContext.interimAuthn;
            }
            if (preferredGroup == NamedGroup.CURVESM2) {
                return new SM2EPossession(tLCPPossession, preferredGroup, handshakeContext.sslContext.getSecureRandom());
            }
            return null;
        }
    }
}
