package com.tencent.kona.sun.security.ssl;

import com.tencent.kona.pkix.PKIXUtils;
import com.tencent.kona.sun.security.ssl.SSLHandshake;
import com.tencent.kona.sun.security.ssl.TLCPAuthentication;
import com.tencent.kona.sun.security.util.HexDumpEncoder;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.text.MessageFormat;
import java.util.Iterator;
import java.util.Locale;

/* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPCertificateVerify.class */
final class TLCPCertificateVerify {
    static final SSLConsumer tlcpHandshakeConsumer = new TLCPCertificateVerifyConsumer();
    static final HandshakeProducer tlcpHandshakeProducer = new TLCPCertificateVerifyProducer();

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPCertificateVerify$TLCPCertificateVerifyConsumer.class */
    private static final class TLCPCertificateVerifyConsumer implements SSLConsumer {
        private TLCPCertificateVerifyConsumer() {
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLConsumer
        public void consume(ConnectionContext connectionContext, ByteBuffer byteBuffer) throws IOException {
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) connectionContext;
            serverHandshakeContext.handshakeConsumers.remove(Byte.valueOf(SSLHandshake.CERTIFICATE_VERIFY.id));
            if (serverHandshakeContext.handshakeConsumers.containsKey(Byte.valueOf(SSLHandshake.CLIENT_KEY_EXCHANGE.id))) {
                throw serverHandshakeContext.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unexpected CertificateVerify handshake message");
            }
            TLCPCertificateVerifyMessage tLCPCertificateVerifyMessage = new TLCPCertificateVerifyMessage(serverHandshakeContext, byteBuffer);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Consuming CertificateVerify handshake message", new Object[]{tLCPCertificateVerifyMessage});
            }
        }
    }

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPCertificateVerify$TLCPCertificateVerifyMessage.class */
    private static final class TLCPCertificateVerifyMessage extends SSLHandshake.HandshakeMessage {
        private final byte[] signature;

        TLCPCertificateVerifyMessage(HandshakeContext handshakeContext, TLCPAuthentication.TLCPPossession tLCPPossession) throws IOException {
            super(handshakeContext);
            ClientHandshakeContext clientHandshakeContext = (ClientHandshakeContext) handshakeContext;
            try {
                Signature signer = SignatureScheme.SM2SIG_SM3.getSigner(tLCPPossession.popSignPrivateKey, tLCPPossession.popSignPublicKey, false);
                signer.update(clientHandshakeContext.handshakeHash.digest());
                this.signature = signer.sign();
            } catch (SignatureException e) {
                throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Cannot produce CertificateVerify signature", e);
            }
        }

        TLCPCertificateVerifyMessage(HandshakeContext handshakeContext, ByteBuffer byteBuffer) throws IOException {
            super(handshakeContext);
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) handshakeContext;
            if (byteBuffer.remaining() < 2) {
                throw serverHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Invalid CertificateVerify message: no sufficient data");
            }
            TLCPAuthentication.TLCPCredentials tLCPCredentials = null;
            Iterator<SSLCredentials> it = serverHandshakeContext.handshakeCredentials.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SSLCredentials next = it.next();
                if (next instanceof TLCPAuthentication.TLCPCredentials) {
                    tLCPCredentials = (TLCPAuthentication.TLCPCredentials) next;
                    break;
                }
            }
            if (tLCPCredentials == null || tLCPCredentials.popSignPublicKey == null) {
                throw serverHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "No X509 credentials negotiated for CertificateVerify");
            }
            this.signature = Record.getBytes16(byteBuffer);
            if (!PKIXUtils.isSMCert(tLCPCredentials.popSignCert)) {
                throw serverHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Only support SM certificate");
            }
            try {
                Signature verifier = SignatureScheme.SM2SIG_SM3.getVerifier(tLCPCredentials.popSignPublicKey);
                verifier.update(serverHandshakeContext.handshakeHash.digest());
                if (verifier.verify(this.signature)) {
                } else {
                    throw serverHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid CertificateVerify signature");
                }
            } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException e) {
                throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Unsupported signature algorithm (sm2sig_sm3)used in CertificateVerify handshake message", e);
            } catch (InvalidKeyException | SignatureException e2) {
                throw serverHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Cannot verify CertificateVerify signature", e2);
            }
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLHandshake.HandshakeMessage
        public SSLHandshake handshakeType() {
            return SSLHandshake.CERTIFICATE_VERIFY;
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLHandshake.HandshakeMessage
        public int messageLength() {
            return 2 + this.signature.length;
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLHandshake.HandshakeMessage
        public void send(HandshakeOutStream handshakeOutStream) throws IOException {
            handshakeOutStream.putBytes16(this.signature);
        }

        public String toString() {
            return new MessageFormat("\"CertificateVerify\": '{'\n  \"signature algorithm\": sm2sig_sm3\n  \"signature\": '{'\n{0}\n  '}'\n'}'", Locale.ENGLISH).format(new Object[]{Utilities.indent(new HexDumpEncoder().encodeBuffer(this.signature), "    ")});
        }
    }

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPCertificateVerify$TLCPCertificateVerifyProducer.class */
    private static final class TLCPCertificateVerifyProducer implements HandshakeProducer {
        private TLCPCertificateVerifyProducer() {
        }

        @Override // com.tencent.kona.sun.security.ssl.HandshakeProducer
        public byte[] produce(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            ClientHandshakeContext clientHandshakeContext = (ClientHandshakeContext) connectionContext;
            TLCPAuthentication.TLCPPossession tLCPPossession = null;
            Iterator<SSLPossession> it = clientHandshakeContext.handshakePossessions.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SSLPossession next = it.next();
                if (next instanceof TLCPAuthentication.TLCPPossession) {
                    tLCPPossession = (TLCPAuthentication.TLCPPossession) next;
                    break;
                }
            }
            if (tLCPPossession == null || tLCPPossession.popSignPrivateKey == null) {
                if (!SSLLogger.isOn || !SSLLogger.isOn("ssl,handshake")) {
                    return null;
                }
                SSLLogger.fine("No X.509 credentials negotiated for CertificateVerify", new Object[0]);
                return null;
            }
            TLCPCertificateVerifyMessage tLCPCertificateVerifyMessage = new TLCPCertificateVerifyMessage(clientHandshakeContext, tLCPPossession);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Produced CertificateVerify handshake message", new Object[]{tLCPCertificateVerifyMessage});
            }
            tLCPCertificateVerifyMessage.write(clientHandshakeContext.handshakeOutput);
            clientHandshakeContext.handshakeOutput.flush();
            return null;
        }
    }

    TLCPCertificateVerify() {
    }
}
