package org.openeuler.sun.security.ssl;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import org.openeuler.gm.GMConstants;
import org.openeuler.sun.misc.HexDumpEncoder;
import org.openeuler.sun.security.ssl.GMX509Authentication;
import org.openeuler.sun.security.ssl.SSLHandshake;

/* loaded from: classes6.dex */
final class ECCServerKeyExchange {
    static final SSLConsumer eccHandshakeConsumer;
    static final HandshakeProducer eccHandshakeProducer;

    /* loaded from: classes6.dex */
    private static final class ECCServerKeyExchangeConsumer implements SSLConsumer {
        private ECCServerKeyExchangeConsumer() {
        }

        @Override // org.openeuler.sun.security.ssl.SSLConsumer
        public void consume(ConnectionContext connectionContext, ByteBuffer byteBuffer) throws IOException {
            ECCServerKeyExchangeMessage eCCServerKeyExchangeMessage = new ECCServerKeyExchangeMessage((ClientHandshakeContext) connectionContext, byteBuffer);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Consuming ECC ServerKeyExchange handshake message", eCCServerKeyExchangeMessage);
            }
        }
    }

    /* loaded from: classes6.dex */
    private static final class ECCServerKeyExchangeMessage extends SSLHandshake.HandshakeMessage {
        private final byte[] paramsSignature;
        private final SignatureScheme signatureScheme;
        private final boolean useExplicitSigAlgorithm;

        ECCServerKeyExchangeMessage(HandshakeContext handshakeContext, ByteBuffer byteBuffer) throws IOException {
            super(handshakeContext);
            GMX509Authentication.GMX509Credentials gMX509Credentials;
            ClientHandshakeContext clientHandshakeContext = (ClientHandshakeContext) handshakeContext;
            Iterator<SSLCredentials> it = clientHandshakeContext.handshakeCredentials.iterator();
            while (true) {
                if (!it.hasNext()) {
                    gMX509Credentials = null;
                    break;
                }
                SSLCredentials next = it.next();
                if (next instanceof GMX509Authentication.GMX509Credentials) {
                    gMX509Credentials = (GMX509Authentication.GMX509Credentials) next;
                    break;
                }
            }
            if (gMX509Credentials == null) {
                throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "No ECC credentials negotiated for server key exchange");
            }
            boolean z = clientHandshakeContext.t12WithGMCipherSuite;
            this.useExplicitSigAlgorithm = z;
            if (z) {
                int int16 = Record.getInt16(byteBuffer);
                SignatureScheme valueOf = SignatureScheme.valueOf(int16);
                this.signatureScheme = valueOf;
                if (valueOf == null || valueOf != SignatureScheme.ECDSA_SM3) {
                    throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid signature algorithm (" + int16 + ") used in ECC ServerKeyExchange handshake message");
                }
                if (!clientHandshakeContext.localSupportedSignAlgs.contains(valueOf)) {
                    throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Unsupported signature algorithm (" + valueOf.name + ") used in ECC ServerKeyExchange handshake message");
                }
            } else {
                this.signatureScheme = null;
            }
            byte[] bytes16 = Record.getBytes16(byteBuffer);
            this.paramsSignature = bytes16;
            try {
                Signature signature = Signature.getInstance(GMConstants.SM3_WITH_SM2);
                signature.initVerify(gMX509Credentials.popSignPublicKey);
                updateSignature(signature, clientHandshakeContext.clientHelloRandom.randomBytes, clientHandshakeContext.serverHelloRandom.randomBytes, gMX509Credentials.popEncCerts[0]);
                if (signature.verify(bytes16)) {
                } else {
                    throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid signature of ECC ServerKeyExchange message");
                }
            } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
                throw clientHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Failed to sign ECC parameters", e);
            }
        }

        private ECCServerKeyExchangeMessage(HandshakeContext handshakeContext, GMX509Authentication.GMX509Possession gMX509Possession) throws IOException {
            super(handshakeContext);
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) handshakeContext;
            boolean z = serverHandshakeContext.t12WithGMCipherSuite;
            this.useExplicitSigAlgorithm = z;
            if (z) {
                List<SignatureScheme> list = serverHandshakeContext.peerRequestedSignatureSchemes;
                if (list != null) {
                    SignatureScheme signatureScheme = SignatureScheme.ECDSA_SM3;
                    if (list.contains(signatureScheme)) {
                        this.signatureScheme = signatureScheme;
                    }
                }
                throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "No supported signature algorithm");
            }
            this.signatureScheme = null;
            try {
                Signature signature = Signature.getInstance(GMConstants.SM3_WITH_SM2);
                signature.initSign(gMX509Possession.popSignPrivateKey, serverHandshakeContext.sslContext.getSecureRandom());
                updateSignature(signature, serverHandshakeContext.clientHelloRandom.randomBytes, serverHandshakeContext.serverHelloRandom.randomBytes, gMX509Possession.popEncCerts[0]);
                this.paramsSignature = signature.sign();
            } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
                throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Failed to sign ECC parameters", e);
            }
        }

        private void updateSignature(Signature signature, byte[] bArr, byte[] bArr2, X509Certificate x509Certificate) throws SignatureException {
            signature.update(bArr);
            signature.update(bArr2);
            try {
                byte[] encoded = x509Certificate.getEncoded();
                int length = encoded.length;
                signature.update((byte) ((length >> 16) & 255));
                signature.update((byte) ((length >> 8) & 255));
                signature.update((byte) (length & 255));
                signature.update(encoded);
            } catch (CertificateEncodingException e) {
                throw new SignatureException(e);
            }
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Override // org.openeuler.sun.security.ssl.SSLHandshake.HandshakeMessage
        public SSLHandshake handshakeType() {
            return SSLHandshake.SERVER_KEY_EXCHANGE;
        }

        @Override // org.openeuler.sun.security.ssl.SSLHandshake.HandshakeMessage
        int messageLength() {
            int length = this.paramsSignature.length + 2;
            return this.useExplicitSigAlgorithm ? length + SignatureScheme.sizeInRecord() : length;
        }

        @Override // org.openeuler.sun.security.ssl.SSLHandshake.HandshakeMessage
        void send(HandshakeOutStream handshakeOutStream) throws IOException {
            if (this.useExplicitSigAlgorithm) {
                handshakeOutStream.putInt16(this.signatureScheme.f36082id);
            }
            handshakeOutStream.putBytes16(this.paramsSignature);
        }

        public String toString() {
            if (!this.useExplicitSigAlgorithm) {
                return new MessageFormat("\"ECC ServerKeyExchange\": '{'\n  \"digital signature\":  '{'\n    \"signature\": '{'\n{0}\n    '}',\n  '}'\n'}'", Locale.ENGLISH).format(new Object[]{Utilities.indent(new HexDumpEncoder().encodeBuffer(this.paramsSignature), "      ")});
            }
            return new MessageFormat("\"ECDH ServerKeyExchange\": '{'\n  \"digital signature\":  '{'\n    \"signature algorithm\": \"{0}\"\n    \"signature\": '{'\n{1}\n    '}',\n  '}'\n'}'", Locale.ENGLISH).format(new Object[]{this.signatureScheme.name, Utilities.indent(new HexDumpEncoder().encodeBuffer(this.paramsSignature), "      ")});
        }
    }

    /* loaded from: classes6.dex */
    private static final class ECCServerKeyExchangeProducer implements HandshakeProducer {
        private ECCServerKeyExchangeProducer() {
        }

        @Override // org.openeuler.sun.security.ssl.HandshakeProducer
        public byte[] produce(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) connectionContext;
            GMX509Authentication.GMX509Possession gMX509Possession = null;
            for (SSLPossession sSLPossession : serverHandshakeContext.handshakePossessions) {
                if ((sSLPossession instanceof GMX509Authentication.GMX509Possession) && (gMX509Possession = (GMX509Authentication.GMX509Possession) sSLPossession) != null) {
                    break;
                }
            }
            if (gMX509Possession == null) {
                throw serverHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "No ECC certificate negotiated for server key exchange");
            }
            ECCServerKeyExchangeMessage eCCServerKeyExchangeMessage = new ECCServerKeyExchangeMessage(serverHandshakeContext, gMX509Possession);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Produced ECC ServerKeyExchange handshake message", eCCServerKeyExchangeMessage);
            }
            eCCServerKeyExchangeMessage.write(serverHandshakeContext.handshakeOutput);
            serverHandshakeContext.handshakeOutput.flush();
            return null;
        }
    }

    static {
        eccHandshakeConsumer = new ECCServerKeyExchangeConsumer();
        eccHandshakeProducer = new ECCServerKeyExchangeProducer();
    }

    ECCServerKeyExchange() {
    }
}
