package org.openeuler.sun.security.ssl;

import com.sun.jna.platform.win32.LMErr;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.interfaces.ECPublicKey;
import java.security.spec.ECParameterSpec;
import java.text.MessageFormat;
import java.util.Iterator;
import java.util.Locale;
import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey;
import org.openeuler.SM2KeyExchangeUtil;
import org.openeuler.gm.GMConstants;
import org.openeuler.sun.misc.HexDumpEncoder;
import org.openeuler.sun.security.ssl.GMX509Authentication;
import org.openeuler.sun.security.ssl.SM2KeyExchange;
import org.openeuler.sun.security.ssl.SSLHandshake;
import org.openeuler.sun.security.ssl.SupportedGroupsExtension;

/* loaded from: input_file:WEB-INF/lib/jsse-1.0.3.jar:org/openeuler/sun/security/ssl/SM2ServerKeyExchange.class */
final class SM2ServerKeyExchange {
    static final SSLConsumer sm2HandshakeConsumer = new SM2ServerKeyExchangeConsumer();
    static final HandshakeProducer sm2HandshakeProducer = new SM2ServerKeyExchangeProducer();

    /* loaded from: input_file:WEB-INF/lib/jsse-1.0.3.jar:org/openeuler/sun/security/ssl/SM2ServerKeyExchange$SM2ServerKeyExchangeConsumer.class */
    private static final class SM2ServerKeyExchangeConsumer implements SSLConsumer {
        private SM2ServerKeyExchangeConsumer() {
        }

        @Override // org.openeuler.sun.security.ssl.SSLConsumer
        public void consume(ConnectionContext connectionContext, ByteBuffer byteBuffer) throws IOException {
            ClientHandshakeContext clientHandshakeContext = (ClientHandshakeContext) connectionContext;
            SM2ServerKeyExchangeMessage sM2ServerKeyExchangeMessage = new SM2ServerKeyExchangeMessage(clientHandshakeContext, byteBuffer);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Consuming SM2 ServerKeyExchange handshake message", sM2ServerKeyExchangeMessage);
            }
            GMX509Authentication.GMX509Credentials gMX509Credentials = null;
            Iterator<SSLCredentials> it = clientHandshakeContext.handshakeCredentials.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SSLCredentials next = it.next();
                if (next instanceof GMX509Authentication.GMX509Credentials) {
                    gMX509Credentials = (GMX509Authentication.GMX509Credentials) next;
                    break;
                }
            }
            clientHandshakeContext.handshakeCredentials.add(new SM2KeyExchange.SM2Credentials((ECPublicKey) gMX509Credentials.popEncPublicKey, sM2ServerKeyExchangeMessage.namedGroup, sM2ServerKeyExchangeMessage.publicPoint));
        }
    }

    /* loaded from: input_file:WEB-INF/lib/jsse-1.0.3.jar:org/openeuler/sun/security/ssl/SM2ServerKeyExchange$SM2ServerKeyExchangeMessage.class */
    private static final class SM2ServerKeyExchangeMessage extends SSLHandshake.HandshakeMessage {
        private static final byte CURVE_NAMED_CURVE = 3;
        private final SupportedGroupsExtension.NamedGroup namedGroup;
        private final byte[] publicPoint;
        private final byte[] paramsSignature;
        private final boolean useExplicitSigAlgorithm;
        private final SignatureScheme signatureScheme;

        SM2ServerKeyExchangeMessage(HandshakeContext handshakeContext) throws IOException {
            super(handshakeContext);
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) handshakeContext;
            SM2KeyExchange.SM2Possession sM2Possession = null;
            GMX509Authentication.GMX509Possession gMX509Possession = null;
            for (SSLPossession sSLPossession : serverHandshakeContext.handshakePossessions) {
                if (sSLPossession instanceof SM2KeyExchange.SM2Possession) {
                    sM2Possession = (SM2KeyExchange.SM2Possession) sSLPossession;
                    if (gMX509Possession != null) {
                        break;
                    }
                } else if (sSLPossession instanceof GMX509Authentication.GMX509Possession) {
                    gMX509Possession = (GMX509Authentication.GMX509Possession) sSLPossession;
                    if (sM2Possession != null) {
                        break;
                    }
                } else {
                    continue;
                }
            }
            if (sM2Possession == null) {
                throw serverHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "No SM2 credentials negotiated for server key exchange");
            }
            BCECPublicKey bCECPublicKey = sM2Possession.publicKey;
            ECParameterSpec params = bCECPublicKey.getParams();
            this.publicPoint = SM2KeyExchangeUtil.generateR(bCECPublicKey, sM2Possession.randomNum).getEncoded(false);
            this.namedGroup = SupportedGroupsExtension.NamedGroup.valueOf(params);
            if (this.namedGroup == null || this.namedGroup.oid == null) {
                throw serverHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Unnamed EC parameter spec: " + params);
            }
            if (gMX509Possession == null) {
                this.paramsSignature = null;
                this.signatureScheme = null;
                this.useExplicitSigAlgorithm = false;
                return;
            }
            this.useExplicitSigAlgorithm = serverHandshakeContext.t12WithGMCipherSuite;
            if (!this.useExplicitSigAlgorithm) {
                this.signatureScheme = null;
            } else {
                if (serverHandshakeContext.peerRequestedSignatureSchemes == null || !serverHandshakeContext.peerRequestedSignatureSchemes.contains(SignatureScheme.ECDSA_SM3)) {
                    throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "No supported signature algorithm for " + gMX509Possession.popSignPrivateKey.getAlgorithm() + "  key");
                }
                this.signatureScheme = SignatureScheme.ECDSA_SM3;
            }
            try {
                Signature signature = getSignature(gMX509Possession.popSignPrivateKey.getAlgorithm(), gMX509Possession.popSignPrivateKey);
                try {
                    updateSignature(signature, serverHandshakeContext.clientHelloRandom.randomBytes, serverHandshakeContext.serverHelloRandom.randomBytes, this.namedGroup.id, this.publicPoint);
                    this.paramsSignature = signature.sign();
                } catch (SignatureException e) {
                    throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Failed to sign sm2 parameters: " + gMX509Possession.popSignPrivateKey.getAlgorithm(), e);
                }
            } catch (InvalidKeyException | NoSuchAlgorithmException e2) {
                throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Unsupported signature algorithm: " + gMX509Possession.popSignPrivateKey.getAlgorithm(), e2);
            }
        }

        SM2ServerKeyExchangeMessage(HandshakeContext handshakeContext, ByteBuffer byteBuffer) throws IOException {
            super(handshakeContext);
            ClientHandshakeContext clientHandshakeContext = (ClientHandshakeContext) handshakeContext;
            byte int8 = (byte) Record.getInt8(byteBuffer);
            if (int8 != 3) {
                throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Unsupported ECCurveType: " + ((int) int8));
            }
            int int16 = Record.getInt16(byteBuffer);
            this.namedGroup = SupportedGroupsExtension.NamedGroup.valueOf(int16);
            if (this.namedGroup != SupportedGroupsExtension.NamedGroup.SM2P256V1) {
                throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Unknown named group ID: " + int16);
            }
            if (!SupportedGroupsExtension.SupportedGroups.isSupported(this.namedGroup)) {
                throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Unsupported named group: " + this.namedGroup);
            }
            if (this.namedGroup.oid == null) {
                throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Unknown named EC curve: " + this.namedGroup);
            }
            this.publicPoint = Record.getBytes8(byteBuffer);
            if (this.publicPoint.length == 0) {
                throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Insufficient ECPoint data: " + this.namedGroup);
            }
            GMX509Authentication.GMX509Credentials gMX509Credentials = null;
            Iterator<SSLCredentials> it = clientHandshakeContext.handshakeCredentials.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SSLCredentials next = it.next();
                if (next instanceof GMX509Authentication.GMX509Credentials) {
                    gMX509Credentials = (GMX509Authentication.GMX509Credentials) next;
                    break;
                }
            }
            if (gMX509Credentials == null) {
                if (byteBuffer.hasRemaining()) {
                    throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid DH ServerKeyExchange: unknown extra data");
                }
                this.signatureScheme = null;
                this.paramsSignature = null;
                this.useExplicitSigAlgorithm = false;
                return;
            }
            this.useExplicitSigAlgorithm = clientHandshakeContext.t12WithGMCipherSuite;
            if (this.useExplicitSigAlgorithm) {
                int int162 = Record.getInt16(byteBuffer);
                this.signatureScheme = SignatureScheme.valueOf(int162);
                if (this.signatureScheme != SignatureScheme.ECDSA_SM3) {
                    throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid signature algorithm (" + int162 + ") used in SM2 ServerKeyExchange handshake message");
                }
                if (!clientHandshakeContext.localSupportedSignAlgs.contains(this.signatureScheme)) {
                    throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Unsupported signature algorithm (" + this.signatureScheme.name + ") used in SM2 ServerKeyExchange handshake message");
                }
            } else {
                this.signatureScheme = null;
            }
            this.paramsSignature = Record.getBytes16(byteBuffer);
            try {
                Signature signature = getSignature(gMX509Credentials.popSignPublicKey.getAlgorithm(), gMX509Credentials.popSignPublicKey);
                try {
                    updateSignature(signature, clientHandshakeContext.clientHelloRandom.randomBytes, clientHandshakeContext.serverHelloRandom.randomBytes, this.namedGroup.id, this.publicPoint);
                    if (signature.verify(this.paramsSignature)) {
                    } else {
                        throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid SM2 ServerKeyExchange signature");
                    }
                } catch (SignatureException e) {
                    throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Cannot verify SM2 ServerKeyExchange signature", e);
                }
            } catch (InvalidKeyException | NoSuchAlgorithmException e2) {
                throw clientHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Unsupported signature algorithm: " + gMX509Credentials.popSignPublicKey.getAlgorithm(), e2);
            }
        }

        @Override // org.openeuler.sun.security.ssl.SSLHandshake.HandshakeMessage
        public SSLHandshake handshakeType() {
            return SSLHandshake.SERVER_KEY_EXCHANGE;
        }

        @Override // org.openeuler.sun.security.ssl.SSLHandshake.HandshakeMessage
        public int messageLength() {
            int i = 0;
            if (this.paramsSignature != null) {
                i = 2 + this.paramsSignature.length;
                if (this.useExplicitSigAlgorithm) {
                    i += SignatureScheme.sizeInRecord();
                }
            }
            return 4 + this.publicPoint.length + i;
        }

        @Override // org.openeuler.sun.security.ssl.SSLHandshake.HandshakeMessage
        public void send(HandshakeOutStream handshakeOutStream) throws IOException {
            handshakeOutStream.putInt8(3);
            handshakeOutStream.putInt16(this.namedGroup.id);
            handshakeOutStream.putBytes8(this.publicPoint);
            if (this.paramsSignature != null) {
                if (this.useExplicitSigAlgorithm) {
                    handshakeOutStream.putInt16(this.signatureScheme.id);
                }
                handshakeOutStream.putBytes16(this.paramsSignature);
            }
        }

        public String toString() {
            if (this.useExplicitSigAlgorithm) {
                MessageFormat messageFormat = new MessageFormat("\"SM2 ServerKeyExchange\": '{'\n  \"parameters\": '{'\n    \"named group\": \"{0}\"\n    \"sm2 public\": '{'\n{1}\n    '}',\n  '}',\n  \"digital signature\":  '{'\n    \"signature algorithm\": \"{2}\"\n    \"signature\": '{'\n{3}\n    '}',\n  '}'\n'}'", Locale.ENGLISH);
                HexDumpEncoder hexDumpEncoder = new HexDumpEncoder();
                return messageFormat.format(new Object[]{this.namedGroup.name, Utilities.indent(hexDumpEncoder.encodeBuffer(this.publicPoint), "      "), this.signatureScheme.name, Utilities.indent(hexDumpEncoder.encodeBuffer(this.paramsSignature), "      ")});
            }
            if (this.paramsSignature == null) {
                return new MessageFormat("\"SM2 ServerKeyExchange\": '{'\n  \"parameters\":  '{'\n    \"named group\": \"{0}\"\n    \"sm2 public\": '{'\n{1}\n    '}',\n  '}'\n'}'", Locale.ENGLISH).format(new Object[]{this.namedGroup.name, Utilities.indent(new HexDumpEncoder().encodeBuffer(this.publicPoint), "      ")});
            }
            MessageFormat messageFormat2 = new MessageFormat("\"SM2 ServerKeyExchange\": '{'\n  \"parameters\":  '{'\n    \"named group\": \"{0}\"\n    \"sm2 public\": '{'\n{1}\n    '}',\n  '}',\n  \"signature\": '{'\n{2}\n  '}'\n'}'", Locale.ENGLISH);
            HexDumpEncoder hexDumpEncoder2 = new HexDumpEncoder();
            return messageFormat2.format(new Object[]{this.namedGroup.name, Utilities.indent(hexDumpEncoder2.encodeBuffer(this.publicPoint), "      "), Utilities.indent(hexDumpEncoder2.encodeBuffer(this.paramsSignature), "    ")});
        }

        private static Signature getSignature(String str, Key key) throws NoSuchAlgorithmException, InvalidKeyException {
            Signature rSASignature;
            boolean z = -1;
            switch (str.hashCode()) {
                case LMErr.NERR_UnableToDelName_W /* 2206 */:
                    if (str.equals(GMConstants.EC)) {
                        z = false;
                        break;
                    }
                    break;
                case 81440:
                    if (str.equals("RSA")) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    rSASignature = JsseJce.getSignature("SM3WithSM2");
                    break;
                case true:
                    rSASignature = RSASignature.getInstance();
                    break;
                default:
                    throw new NoSuchAlgorithmException("neither an RSA or a EC key : " + str);
            }
            if (rSASignature != null) {
                if (key instanceof PublicKey) {
                    rSASignature.initVerify((PublicKey) key);
                } else {
                    rSASignature.initSign((PrivateKey) key);
                }
            }
            return rSASignature;
        }

        private static void updateSignature(Signature signature, byte[] bArr, byte[] bArr2, int i, byte[] bArr3) throws SignatureException {
            signature.update(bArr);
            signature.update(bArr2);
            signature.update((byte) 3);
            signature.update((byte) ((i >> 8) & 255));
            signature.update((byte) (i & 255));
            signature.update((byte) bArr3.length);
            signature.update(bArr3);
        }
    }

    /* loaded from: input_file:WEB-INF/lib/jsse-1.0.3.jar:org/openeuler/sun/security/ssl/SM2ServerKeyExchange$SM2ServerKeyExchangeProducer.class */
    private static final class SM2ServerKeyExchangeProducer implements HandshakeProducer {
        private SM2ServerKeyExchangeProducer() {
        }

        @Override // org.openeuler.sun.security.ssl.HandshakeProducer
        public byte[] produce(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) connectionContext;
            SM2ServerKeyExchangeMessage sM2ServerKeyExchangeMessage = new SM2ServerKeyExchangeMessage(serverHandshakeContext);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Produced SM2 ServerKeyExchange handshake message", sM2ServerKeyExchangeMessage);
            }
            sM2ServerKeyExchangeMessage.write(serverHandshakeContext.handshakeOutput);
            serverHandshakeContext.handshakeOutput.flush();
            return null;
        }
    }

    SM2ServerKeyExchange() {
    }
}
