package com.tencent.kona.sun.security.ssl;

import com.tencent.kona.crypto.spec.SM2KeyAgreementParamSpec;
import com.tencent.kona.crypto.spec.SM2PublicKeySpec;
import com.tencent.kona.sun.security.ssl.SM2EKeyExchange;
import com.tencent.kona.sun.security.ssl.SSLHandshake;
import com.tencent.kona.sun.security.ssl.TLCPAuthentication;
import com.tencent.kona.sun.security.util.HexDumpEncoder;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.CryptoPrimitive;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.text.MessageFormat;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.Locale;
import javax.crypto.SecretKey;

/* loaded from: input_file:com/tencent/kona/sun/security/ssl/SM2EClientKeyExchange.class */
public class SM2EClientKeyExchange {
    static final SSLConsumer sm2eHandshakeConsumer = new SM2EClientKeyExchangeConsumer();
    static final HandshakeProducer sm2eHandshakeProducer = new SM2EClientKeyExchangeProducer();

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/SM2EClientKeyExchange$SM2EClientKeyExchangeConsumer.class */
    private static final class SM2EClientKeyExchangeConsumer implements SSLConsumer {
        private SM2EClientKeyExchangeConsumer() {
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLConsumer
        public void consume(ConnectionContext connectionContext, ByteBuffer byteBuffer) throws IOException {
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) connectionContext;
            SM2EKeyExchange.SM2EPossession sM2EPossession = null;
            Iterator<SSLPossession> it = serverHandshakeContext.handshakePossessions.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SSLPossession next = it.next();
                if (next instanceof SM2EKeyExchange.SM2EPossession) {
                    sM2EPossession = (SM2EKeyExchange.SM2EPossession) next;
                    break;
                }
            }
            if (sM2EPossession == null) {
                throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "No expected SM2E possessions for client key exchange");
            }
            NamedGroup valueOf = NamedGroup.valueOf(sM2EPossession.popEncPublicKey.getParams());
            if (valueOf != NamedGroup.CURVESM2) {
                throw serverHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Unsupported EC server cert for SM2E client key exchange");
            }
            SSLKeyExchange valueOf2 = SSLKeyExchange.valueOf(serverHandshakeContext.negotiatedCipherSuite.keyExchange, serverHandshakeContext.negotiatedProtocol);
            if (valueOf2 == null) {
                throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key exchange type");
            }
            SM2EClientKeyExchangeMessage sM2EClientKeyExchangeMessage = new SM2EClientKeyExchangeMessage(serverHandshakeContext, byteBuffer);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Consuming SM2E ClientKeyExchange handshake message", new Object[]{sM2EClientKeyExchangeMessage});
            }
            try {
                SM2EKeyExchange.SM2ECredentials sM2ECredentials = new SM2EKeyExchange.SM2ECredentials((ECPublicKey) KeyFactory.getInstance("SM2").generatePublic(new SM2PublicKeySpec(sM2EClientKeyExchangeMessage.encodedPoint)), valueOf);
                if (serverHandshakeContext.algorithmConstraints != null && (sM2ECredentials instanceof NamedGroupCredentials) && !serverHandshakeContext.algorithmConstraints.permits(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), sM2ECredentials.getPublicKey())) {
                    serverHandshakeContext.conContext.fatal(Alert.INSUFFICIENT_SECURITY, "ClientKeyExchange for " + valueOf + " does not comply with algorithm constraints");
                }
                serverHandshakeContext.handshakeCredentials.add(sM2ECredentials);
                TLCPAuthentication.TLCPCredentials tLCPCredentials = null;
                Iterator<SSLCredentials> it2 = serverHandshakeContext.handshakeCredentials.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    SSLCredentials next2 = it2.next();
                    if (next2 instanceof TLCPAuthentication.TLCPCredentials) {
                        tLCPCredentials = (TLCPAuthentication.TLCPCredentials) next2;
                        break;
                    }
                }
                SecretKey deriveKey = valueOf2.createKeyDerivation(serverHandshakeContext).deriveKey("MasterSecret", new SM2KeyAgreementParamSpec(sM2EPossession.popEncPrivateKey, sM2EPossession.popEncPublicKey, (ECPublicKey) tLCPCredentials.popEncPublicKey, true, 48));
                serverHandshakeContext.handshakeSession.setMasterSecret(deriveKey);
                SSLTrafficKeyDerivation valueOf3 = SSLTrafficKeyDerivation.valueOf(serverHandshakeContext.negotiatedProtocol);
                if (valueOf3 == null) {
                    throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key derivation: " + serverHandshakeContext.negotiatedProtocol);
                }
                serverHandshakeContext.handshakeKeyDerivation = valueOf3.createKeyDerivation(serverHandshakeContext, deriveKey);
            } catch (GeneralSecurityException e) {
                throw serverHandshakeContext.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Cannot decode ECDH PublicKey: " + valueOf);
            }
        }
    }

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/SM2EClientKeyExchange$SM2EClientKeyExchangeMessage.class */
    private static final class SM2EClientKeyExchangeMessage extends SSLHandshake.HandshakeMessage {
        private static final byte CURVE_NAMED_CURVE = 3;
        private final byte[] encodedPoint;

        SM2EClientKeyExchangeMessage(HandshakeContext handshakeContext, byte[] bArr) {
            super(handshakeContext);
            this.encodedPoint = bArr;
        }

        SM2EClientKeyExchangeMessage(HandshakeContext handshakeContext, ByteBuffer byteBuffer) throws IOException {
            super(handshakeContext);
            Record.getInt8(byteBuffer);
            Record.getInt16(byteBuffer);
            if (byteBuffer.remaining() != 0) {
                this.encodedPoint = Record.getBytes8(byteBuffer);
            } else {
                this.encodedPoint = new byte[0];
            }
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLHandshake.HandshakeMessage
        public SSLHandshake handshakeType() {
            return SSLHandshake.CLIENT_KEY_EXCHANGE;
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLHandshake.HandshakeMessage
        public int messageLength() {
            if (this.encodedPoint == null || this.encodedPoint.length == 0) {
                return 0;
            }
            return 1 + this.encodedPoint.length + CURVE_NAMED_CURVE;
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLHandshake.HandshakeMessage
        public void send(HandshakeOutStream handshakeOutStream) throws IOException {
            handshakeOutStream.putInt8(CURVE_NAMED_CURVE);
            handshakeOutStream.putInt16(NamedGroup.CURVESM2.id);
            if (this.encodedPoint == null || this.encodedPoint.length == 0) {
                return;
            }
            handshakeOutStream.putBytes8(this.encodedPoint);
        }

        public String toString() {
            MessageFormat messageFormat = new MessageFormat("\"SM2 ClientKeyExchange\": '{'\n  \"SM2 public\": '{'\n{0}\n  '}',\n'}'", Locale.ENGLISH);
            return (this.encodedPoint == null || this.encodedPoint.length == 0) ? messageFormat.format(new Object[]{"    <implicit>"}) : messageFormat.format(new Object[]{Utilities.indent(new HexDumpEncoder().encodeBuffer(this.encodedPoint), "    ")});
        }
    }

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/SM2EClientKeyExchange$SM2EClientKeyExchangeProducer.class */
    private static final class SM2EClientKeyExchangeProducer implements HandshakeProducer {
        private SM2EClientKeyExchangeProducer() {
        }

        @Override // com.tencent.kona.sun.security.ssl.HandshakeProducer
        public byte[] produce(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            ClientHandshakeContext clientHandshakeContext = (ClientHandshakeContext) connectionContext;
            SM2EKeyExchange.SM2ECredentials sM2ECredentials = null;
            Iterator<SSLCredentials> it = clientHandshakeContext.handshakeCredentials.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SSLCredentials next = it.next();
                if (next instanceof SM2EKeyExchange.SM2ECredentials) {
                    sM2ECredentials = (SM2EKeyExchange.SM2ECredentials) next;
                    break;
                }
            }
            if (sM2ECredentials == null) {
                throw clientHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "No SM2E credentials negotiated for client key exchange");
            }
            TLCPAuthentication.TLCPPossession tLCPPossession = null;
            Iterator<SSLPossession> it2 = clientHandshakeContext.handshakePossessions.iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                SSLPossession next2 = it2.next();
                if (next2 instanceof TLCPAuthentication.TLCPPossession) {
                    tLCPPossession = (TLCPAuthentication.TLCPPossession) next2;
                    break;
                }
            }
            SM2EKeyExchange.SM2EPossession sM2EPossession = new SM2EKeyExchange.SM2EPossession(tLCPPossession, sM2ECredentials.namedGroup, clientHandshakeContext.sslContext.getSecureRandom());
            clientHandshakeContext.handshakePossessions.add(sM2EPossession);
            SM2EClientKeyExchangeMessage sM2EClientKeyExchangeMessage = new SM2EClientKeyExchangeMessage(clientHandshakeContext, sM2EPossession.encode());
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Produced SM2E ClientKeyExchange handshake message", new Object[]{sM2EClientKeyExchangeMessage});
            }
            sM2EClientKeyExchangeMessage.write(clientHandshakeContext.handshakeOutput);
            clientHandshakeContext.handshakeOutput.flush();
            TLCPAuthentication.TLCPCredentials tLCPCredentials = null;
            Iterator<SSLCredentials> it3 = clientHandshakeContext.handshakeCredentials.iterator();
            while (true) {
                if (!it3.hasNext()) {
                    break;
                }
                SSLCredentials next3 = it3.next();
                if (next3 instanceof TLCPAuthentication.TLCPCredentials) {
                    tLCPCredentials = (TLCPAuthentication.TLCPCredentials) next3;
                    break;
                }
            }
            SSLKeyExchange valueOf = SSLKeyExchange.valueOf(clientHandshakeContext.negotiatedCipherSuite.keyExchange, clientHandshakeContext.negotiatedProtocol);
            if (valueOf == null) {
                throw clientHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key exchange type");
            }
            SecretKey deriveKey = valueOf.createKeyDerivation(clientHandshakeContext).deriveKey("MasterSecret", new SM2KeyAgreementParamSpec((ECPrivateKey) tLCPPossession.popEncPrivateKey, (ECPublicKey) tLCPPossession.popEncPublicKey, (ECPublicKey) tLCPCredentials.popEncPublicKey, false, 48));
            clientHandshakeContext.handshakeSession.setMasterSecret(deriveKey);
            SSLTrafficKeyDerivation valueOf2 = SSLTrafficKeyDerivation.valueOf(clientHandshakeContext.negotiatedProtocol);
            if (valueOf2 == null) {
                throw clientHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key derivation: " + clientHandshakeContext.negotiatedProtocol);
            }
            clientHandshakeContext.handshakeKeyDerivation = valueOf2.createKeyDerivation(clientHandshakeContext, deriveKey);
            return null;
        }
    }
}
