package kl.ssl.smf;

import c.b.a.a.a;
import com.koal.smf.api.certmgr.CertMgrClient;
import com.koal.smf.client.CertMgrClientFactory;
import com.koal.smf.constant.CertStatus;
import com.koal.smf.constant.ErrorCode;
import com.koal.smf.constant.UserInfo;
import com.koal.smf.exception.SmfException;
import com.koal.smf.helper.StringUtils;
import com.koal.smf.model.response.cert.CertMgrResponse;
import java.io.IOException;
import java.net.URL;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.UUID;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import kl.ssl.exception.GMSSLErrorCode;
import kl.ssl.gm.GMBase;
import kl.ssl.gmvpn.SignatureAndHashAlgorithm;
import kl.ssl.gmvpn.crypto.TlsSigner;
import kl.ssl.gmvpn.crypto.TlsStreamSigner;
import kl.ssl.gmvpn.crypto.impl.jcajce.JcaTlsCertificate;
import kl.ssl.gmvpn.crypto.impl.jcajce.JcaTlsCrypto;
import kl.ssl.jsse.provider.KlGMJsseProvider;
import kl.ssl.jsse.provider.ProvX509TrustManager;
import kl.ssl.jsse.util.ExtParamsSocketFactory;
import kl.ssl.jsse.util.SNISocketFactory;
import kl.ssl.jsse.util.SessionTicketSocketFactory;
import kl.ssl.jsse.util.TlsSignerSocketFactory;
import kl.ssl.log.SpendTimeLog;
import kl.ssl.util.CertChainUtil;
import kl.ssl.util.CertUtil;
import org.bouncycastle.util.encoders.Base64;

/* loaded from: classes2.dex */
public class GMSSLContextBuilder extends GMBase {
    public static final String CA_CERT = "MIIB6zCCAZGgAwIBAgIJAKgrGNzYxOMDMAoGCCqBHM9VAYN1MFIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxCzAJBgNVBAMMAkNBMB4XDTE2MTExMDA4MzY0MFoXDTI2MTExMDA4MzY0MFowUjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAwwCQ0EwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAARX1VACQONhW7g0qxDIRvo04TqEO2sfs2wOaSMNRzzWe9rUwQIAg9APtrY/ptfgVVSNukdBfNkR3GJNf+UOJA9vo1AwTjAdBgNVHQ4EFgQUJxjEUs00BMH5dvcG6MgThqZwYdIwHwYDVR0jBBgwFoAUJxjEUs00BMH5dvcG6MgThqZwYdIwDAYDVR0TBAUwAwEB/zAKBggqgRzPVQGDdQNIADBFAiBKdKEHCr1jqdnArxfPVQb+SJYazCcoB8l9r64EEr60lwIhAPE1gU+f6bVEpTIEsNsUVKc6XuyKhu599/wqLkHLVhF7";
    public static final char[] KEY_PASSWORD = "KeyStorePassword".toCharArray();
    public static final String PRIVATE_KEY = "MIGTAgEAMBMGByqGSM49AgEGCCqBHM9VAYItBHkwdwIBAQQgMfDlzEcBl3cbJkmUPL/VyfyoiQEHsW8PPeVC3juHpG6gCgYIKoEcz1UBgi2hRANCAARfwGWpAX8jGukvTpE3SbcOkmYLLV5ETauNrrkspLe5EkAWSgdO7ULpPSQDzaz28mAfGWuj9DKv558GxuZs38Io";
    public final String[] certChain;
    public final List<String> certList;
    public final CertMgrClient certMgrClient;
    public final String clientId;
    public GMSSLContextConfig gmsslContextConfig;
    public KeyManager[] keyManagers;
    public SpendTimeLog spendTimeLog;
    public SSLContext sslContext;
    public SSLSocketFactory sslSocketFactory;
    public String tranceId;
    public TrustManager[] trustManagers;

    public GMSSLContextBuilder(CertMgrClient certMgrClient, String[] strArr, GMSSLContextConfig gMSSLContextConfig) {
        this.certList = new ArrayList();
        this.clientId = UUID.randomUUID().toString().replace("-", "").toLowerCase();
        long currentTimeMillis = System.currentTimeMillis();
        this.certMgrClient = certMgrClient;
        this.certChain = strArr;
        this.gmsslContextConfig = gMSSLContextConfig;
        init();
        String str = this.tranceId;
        StringBuilder l0 = a.l0("total spend: ");
        l0.append(System.currentTimeMillis() - currentTimeMillis);
        SpendTimeLog.d(str, l0.toString());
    }

    public GMSSLContextBuilder(String[] strArr, GMSSLContextConfig gMSSLContextConfig, String str) {
        this(CertMgrClientFactory.getInstance(str), strArr, gMSSLContextConfig);
    }

    private void constructKeyManagerFactory(String str) throws Exception {
        SpendTimeLog spendTimeLog = new SpendTimeLog(this.tranceId);
        spendTimeLog.start();
        JcaTlsCertificate loadJcaTlsCertificate = CertUtil.loadJcaTlsCertificate(GMBase.CRYPTO, CertUtil.formatCert(str));
        spendTimeLog.end("gen key manager-parseCert");
        spendTimeLog.start();
        PrivateKey loadJcaPkcs8PrivateKey = CertUtil.loadJcaPkcs8PrivateKey((JcaTlsCrypto) GMBase.CRYPTO, Base64.decode(PRIVATE_KEY));
        spendTimeLog.end("gen key manager-parseKey");
        KeyStore keyStore = KeyStore.getInstance("BKS");
        keyStore.load(null, null);
        spendTimeLog.start();
        keyStore.setKeyEntry("client", loadJcaPkcs8PrivateKey, KEY_PASSWORD, new X509Certificate[]{loadJcaTlsCertificate.getX509Certificate()});
        spendTimeLog.end("gen key manager-setPrivateKey");
        spendTimeLog.start();
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("PKIX", KlGMJsseProvider.PROVIDER_NAME);
        keyManagerFactory.init(keyStore, KEY_PASSWORD);
        spendTimeLog.end("gen key manager-initKeyMgr");
        this.keyManagers = keyManagerFactory.getKeyManagers();
    }

    private void constructorKeyManager() {
        if (this.certMgrClient == null) {
            return;
        }
        SpendTimeLog spendTimeLog = new SpendTimeLog(this.tranceId);
        spendTimeLog.start();
        CertMgrResponse certLocalState = this.certMgrClient.certLocalState();
        if (certLocalState.getCode() != 0) {
            throw new SmfException(certLocalState.getCode(), certLocalState.getMsg());
        }
        CertStatus certStatus = certLocalState.getCertStatus();
        if (CertStatus.CERT_ST_NOT_EXIST.equals(certStatus) || CertStatus.NOT_FOUND.equals(certStatus)) {
            ErrorCode errorCode = ErrorCode.ERROR_CERT_UNFIND;
            StringBuilder l0 = a.l0("current status:");
            l0.append(certStatus.getStatus());
            throw errorCode.toException(l0.toString());
        }
        CertMgrResponse exportSignCert = this.certMgrClient.exportSignCert();
        if (exportSignCert.getCode() != 0) {
            throw new SmfException(exportSignCert.getCode(), exportSignCert.getMsg());
        }
        String signCert = exportSignCert.getSignCert();
        spendTimeLog.end("gen key manager-exportCert");
        try {
            constructKeyManagerFactory(signCert);
        } catch (Exception e2) {
            throw GMSSLErrorCode.CLIENT_CREATE_KEYSTORE.toException(e2);
        }
    }

    private void constructorTrustManager() {
        try {
            this.trustManagers = CertChainUtil.constructTrustManagerFactory(this.certList).getTrustManagers();
        } catch (Exception e2) {
            throw GMSSLErrorCode.CLIENT_CREATE_CERT_CHAIN.toException(e2);
        }
    }

    private void init() {
        processParams();
        try {
            this.spendTimeLog.start();
            SSLContext sSLContext = SSLContext.getInstance("GMVPNv1.1", KlGMJsseProvider.PROVIDER_NAME);
            this.sslContext = sSLContext;
            sSLContext.init(this.keyManagers, this.trustManagers, new SecureRandom());
            this.spendTimeLog.end("init sslContext");
            this.sslSocketFactory = this.sslContext.getSocketFactory();
            String sniUrl = this.gmsslContextConfig.getSniUrl();
            if (!StringUtils.isEmpty(sniUrl)) {
                this.sslSocketFactory = new SNISocketFactory(this.sslSocketFactory, new URL(sniUrl));
            }
            if (this.gmsslContextConfig.isSessionTicket()) {
                this.sslSocketFactory = new SessionTicketSocketFactory(this.sslSocketFactory, this.clientId);
            }
            this.sslSocketFactory = new TlsSignerSocketFactory(this.sslSocketFactory, new TlsSigner() { // from class: kl.ssl.smf.GMSSLContextBuilder.1
                @Override // kl.ssl.gmvpn.crypto.TlsSigner
                public byte[] generateRawSignature(SignatureAndHashAlgorithm signatureAndHashAlgorithm, byte[] bArr) throws IOException {
                    CertMgrResponse signData = GMSSLContextBuilder.this.certMgrClient.signData(new String(Base64.encode(bArr)));
                    if (signData.getCode() == 0) {
                        return Base64.decode(signData.getSignedMsg());
                    }
                    throw new SmfException(signData.getCode(), signData.getMsg());
                }

                @Override // kl.ssl.gmvpn.crypto.TlsSigner
                public TlsStreamSigner getStreamSigner(SignatureAndHashAlgorithm signatureAndHashAlgorithm) throws IOException {
                    return null;
                }
            });
            byte[] bArr = null;
            if (!StringUtils.isEmpty(this.gmsslContextConfig.getSpaSecret())) {
                try {
                    bArr = MessageDigest.getInstance("md5").digest(this.gmsslContextConfig.getSpaSecret().getBytes());
                } catch (NoSuchAlgorithmException e2) {
                    throw GMSSLErrorCode.GET_MD5_DIGEST.toException(e2);
                }
            }
            this.sslSocketFactory = new ExtParamsSocketFactory(this.sslSocketFactory, this.gmsslContextConfig.isSpa(), bArr, this.tranceId, this.clientId, this.gmsslContextConfig.isTcpNoDelay());
        } catch (Exception e3) {
            throw GMSSLErrorCode.CREATE_SSL_CONTEXT.toException(e3);
        }
    }

    private void processParams() {
        CertMgrClient certMgrClient;
        String traceId = this.gmsslContextConfig.getTraceId();
        this.tranceId = traceId;
        if (traceId == null && (certMgrClient = this.certMgrClient) != null) {
            this.tranceId = certMgrClient.getInfo(UserInfo.SMF_TRACE_ID).to_string();
        }
        if (this.tranceId == null) {
            this.tranceId = this.clientId;
        }
        SpendTimeLog spendTimeLog = new SpendTimeLog(this.tranceId);
        this.spendTimeLog = spendTimeLog;
        spendTimeLog.start();
        String[] strArr = this.certChain;
        if (strArr == null || strArr.length == 0) {
            ProvX509TrustManager.validateCertChain = false;
            this.certList.add(CertUtil.formatCert(CA_CERT));
        } else {
            for (String str : strArr) {
                this.certList.add(CertUtil.formatCert(str));
            }
            if (this.gmsslContextConfig.isValidateCertChain()) {
                ProvX509TrustManager.validateFullCertChain = true;
                CertChainUtil.validateChain(this.certList);
            }
        }
        this.spendTimeLog.end("cert chain parse");
        this.spendTimeLog.start();
        constructorTrustManager();
        this.spendTimeLog.end("gen trust manager");
        this.spendTimeLog.start();
        constructorKeyManager();
        this.spendTimeLog.end("gen key manager total");
    }

    public String getClientId() {
        return this.clientId;
    }

    public SSLContext getSslContext() {
        return this.sslContext;
    }

    public SSLSocketFactory getSslSocketFactory() {
        return this.sslSocketFactory;
    }

    public TrustManager[] getTrustManagers() {
        return this.trustManagers;
    }
}
