package cn.com.infosec.mobile.gm.tls;

import a6.d;
import android.support.v4.media.a;
import cn.com.infosec.mobile.gm.tls.CipherSuite;
import cn.com.infosec.mobile.gm.tls.HandshakeMessage;
import cn.com.infosec.mobile.gm.tls.crypto.KeyStore;
import cn.com.infosec.mobile.netcert.framework.crypto.CipherUtil;
import cn.com.infosec.mobile.netcert.framework.crypto.IHSM;
import cn.com.infosec.mobile.netcert.framework.crypto.SM2Id;
import cn.com.infosec.mobile.netcert.framework.crypto.impl.SoftImpl;
import java.io.IOException;
import java.io.PrintStream;
import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import javax.crypto.SecretKey;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLProtocolException;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes.dex */
public final class ServerHandshaker extends Handshaker {
    private X509Certificate[] certs;
    private ProtocolVersion clientRequestedVersion;
    private DHCrypt dh;
    private byte doClientAuth;
    private ECDHCrypt ecdh;
    private KeyStore encKeyStore;
    private boolean needClientVerify;
    private KeyStore signKeystore;
    private SupportedEllipticCurvesExtension supportedCurves;

    /* renamed from: cn.com.infosec.mobile.gm.tls.ServerHandshaker$1, reason: invalid class name */
    /* loaded from: classes.dex */
    public static /* synthetic */ class AnonymousClass1 {
        public static final /* synthetic */ int[] $SwitchMap$cn$com$infosec$mobile$gm$tls$CipherSuite$KeyExchange;

        static {
            int[] iArr = new int[CipherSuite.KeyExchange.values().length];
            $SwitchMap$cn$com$infosec$mobile$gm$tls$CipherSuite$KeyExchange = iArr;
            try {
                iArr[CipherSuite.KeyExchange.K_ECC.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                $SwitchMap$cn$com$infosec$mobile$gm$tls$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_ECDHE_SM3withSM2.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
        }
    }

    public ServerHandshaker(SSLEngineImpl sSLEngineImpl, SSLContextImpl sSLContextImpl, ProtocolList protocolList, byte b10, ProtocolVersion protocolVersion, boolean z10, boolean z11, byte[] bArr, byte[] bArr2) {
        super(sSLEngineImpl, sSLContextImpl, protocolList, b10 != 0, false, protocolVersion, z10, z11, bArr, bArr2);
        this.needClientVerify = false;
        this.doClientAuth = b10;
    }

    public ServerHandshaker(SSLSocketImpl sSLSocketImpl, SSLContextImpl sSLContextImpl, ProtocolList protocolList, byte b10, ProtocolVersion protocolVersion, boolean z10, boolean z11, byte[] bArr, byte[] bArr2) {
        super(sSLSocketImpl, sSLContextImpl, protocolList, b10 != 0, false, protocolVersion, z10, z11, bArr, bArr2);
        this.needClientVerify = false;
        this.doClientAuth = b10;
    }

    private void chooseCipherSuite(HandshakeMessage.ClientHello clientHello) throws IOException {
        for (CipherSuite cipherSuite : clientHello.getCipherSuites().collection()) {
            if (isNegotiable(cipherSuite) && (this.doClientAuth != 0 || cipherSuite.keyExchange != CipherSuite.KeyExchange.K_ECDHE_SM3withSM2)) {
                if (trySetCipherSuite(cipherSuite)) {
                    return;
                }
            }
        }
        fatalSE(Alerts.alert_handshake_failure, "no cipher suites in common");
    }

    private void clientCertificate(HandshakeMessage.CertificateMsg certificateMsg) throws IOException {
        if (Handshaker.debug != null && Debug.isOn("handshake")) {
            certificateMsg.print(System.out);
        }
        X509Certificate[] certificateChain = certificateMsg.getCertificateChain();
        if (certificateChain.length < 2) {
            if (this.doClientAuth == 1) {
                return;
            } else {
                fatalSE(Alerts.alert_bad_certificate, "null cert chain");
            }
        }
        try {
            X509Certificate[] trustCerts = this.sslContext.getTrustStore().getTrustCerts();
            SoftImpl softImpl = new SoftImpl();
            int length = trustCerts.length;
            boolean z10 = false;
            int i10 = 0;
            while (true) {
                if (i10 >= length) {
                    break;
                }
                X509Certificate x509Certificate = trustCerts[i10];
                if (softImpl.verify(certificateChain[0].getTBSCertificate(), certificateChain[0].getSignature(), x509Certificate.getPublicKey(), IHSM.SM3withSM2, SM2Id.getVerifyId("CERT")) && softImpl.verify(certificateChain[1].getTBSCertificate(), certificateChain[1].getSignature(), x509Certificate.getPublicKey(), IHSM.SM3withSM2, SM2Id.getVerifyId("CERT"))) {
                    z10 = true;
                    break;
                }
                i10++;
            }
            if (!z10) {
                fatalSE(Alerts.alert_certificate_unknown, "peer cert is NOT trusted");
            }
        } catch (Exception e10) {
            fatalSE(Alerts.alert_certificate_unknown, e10);
        }
        this.needClientVerify = true;
        this.session.setPeerCertificates(certificateChain);
    }

    private void clientCertificateVerify(HandshakeMessage.CertificateVerify certificateVerify) throws IOException {
        if (Handshaker.debug != null && Debug.isOn("handshake")) {
            certificateVerify.print(System.out);
        }
        try {
            if (!certificateVerify.verify(this.protocolVersion, this.handshakeHash, this.session.getPeerCertificates()[0].getPublicKey(), this.session.getMasterSecret())) {
                fatalSE(Alerts.alert_bad_certificate, "certificate verify message signature error");
            }
        } catch (GeneralSecurityException e10) {
            fatalSE(Alerts.alert_bad_certificate, "certificate verify format error", e10);
        }
        this.needClientVerify = false;
    }

    private void clientFinished(HandshakeMessage.Finished finished) throws IOException {
        Debug debug = Handshaker.debug;
        if (debug != null && Debug.isOn("handshake")) {
            finished.print(System.out);
        }
        if (this.doClientAuth == 2) {
            this.session.getPeerPrincipal();
        }
        if (this.needClientVerify) {
            fatalSE(Alerts.alert_handshake_failure, "client did not send certificate verify message");
        }
        if (!finished.verify(this.protocolVersion, this.handshakeHash, 1, this.session.getMasterSecret())) {
            fatalSE(Alerts.alert_handshake_failure, "client 'finished' message doesn't verify");
        }
        if (this.secureRenegotiation) {
            this.clientVerifyData = finished.getVerifyData();
        }
        if (!this.resumingSession) {
            this.input.digestNow();
            sendChangeCipherAndFinish(true);
        }
        this.session.setLastAccessedTime(System.currentTimeMillis());
        if (this.resumingSession || !this.session.isRejoinable()) {
            if (this.resumingSession || debug == null || !Debug.isOn("session")) {
                return;
            }
            PrintStream printStream = System.out;
            StringBuilder r10 = d.r("%% Didn't cache non-resumable server session: ");
            r10.append(this.session);
            printStream.println(r10.toString());
            return;
        }
        ((SSLSessionContextImpl) this.sslContext.engineGetServerSessionContext()).put(this.session);
        if (debug == null || !Debug.isOn("session")) {
            return;
        }
        PrintStream printStream2 = System.out;
        StringBuilder r11 = d.r("%% Cached server session: ");
        r11.append(this.session);
        printStream2.println(r11.toString());
    }

    private void clientHello(HandshakeMessage.ClientHello clientHello) throws IOException {
        boolean z10;
        HandshakeMessage sM2_ServerKeyExchange;
        SSLSessionImpl sSLSessionImpl;
        Debug debug = Handshaker.debug;
        if (debug != null && Debug.isOn("handshake")) {
            clientHello.print(System.out);
        }
        if (clientHello.getCipherSuites().contains(CipherSuite.C_SCSV)) {
            if (this.isInitialHandshake) {
                this.secureRenegotiation = true;
            } else if (this.secureRenegotiation) {
                fatalSE(Alerts.alert_handshake_failure, "The SCSV is present in a secure renegotiation");
            } else {
                fatalSE(Alerts.alert_handshake_failure, "The SCSV is present in a insecure renegotiation");
            }
            z10 = true;
        } else {
            z10 = false;
        }
        RenegotiationInfoExtension renegotiationInfoExtension = (RenegotiationInfoExtension) clientHello.extensions.get(ExtensionType.EXT_RENEGOTIATION_INFO);
        if (renegotiationInfoExtension != null) {
            if (this.isInitialHandshake) {
                if (!renegotiationInfoExtension.isEmpty()) {
                    fatalSE(Alerts.alert_handshake_failure, "The renegotiation_info field is not empty");
                }
                this.secureRenegotiation = true;
            } else {
                if (!this.secureRenegotiation) {
                    fatalSE(Alerts.alert_handshake_failure, "The renegotiation_info is present in a insecure renegotiation");
                }
                if (!Arrays.equals(this.clientVerifyData, renegotiationInfoExtension.getRenegotiatedConnection())) {
                    fatalSE(Alerts.alert_handshake_failure, "Incorrect verify data in ClientHello renegotiation_info message");
                }
            }
            z10 = true;
        } else if (!this.isInitialHandshake && this.secureRenegotiation) {
            fatalSE(Alerts.alert_handshake_failure, "Inconsistent secure renegotiation indication");
        }
        if (!z10 || !this.secureRenegotiation) {
            if (this.isInitialHandshake) {
                if (!Handshaker.allowLegacyHelloMessages) {
                    fatalSE(Alerts.alert_handshake_failure, "Failed to negotiate the use of secure renegotiation");
                }
                if (debug != null && Debug.isOn("handshake")) {
                    System.out.println("Warning: No renegotiation indication in ClientHello, allow legacy ClientHello");
                }
            } else if (Handshaker.allowUnsafeRenegotiation) {
                if (debug != null && Debug.isOn("handshake")) {
                    System.out.println("Warning: continue with insecure renegotiation");
                }
            } else {
                if (this.activeProtocolVersion.f4281v >= ProtocolVersion.TLS11.f4281v) {
                    warningSE(Alerts.alert_no_renegotiation);
                    this.invalidated = true;
                    if (this.input.available() > 0) {
                        fatalSE((byte) 10, "ClientHello followed by an unexpected  handshake message");
                        return;
                    }
                    return;
                }
                fatalSE(Alerts.alert_handshake_failure, "Renegotiation is not allowed");
            }
        }
        this.input.digestNow();
        HandshakeMessage.ServerHello serverHello = new HandshakeMessage.ServerHello();
        ProtocolVersion protocolVersion = clientHello.protocolVersion;
        this.clientRequestedVersion = protocolVersion;
        if (protocolVersion.f4281v < this.enabledProtocols.min.f4281v) {
            StringBuilder r10 = d.r("Client requested protocol ");
            r10.append(this.clientRequestedVersion);
            r10.append(" not enabled or not supported");
            fatalSE(Alerts.alert_handshake_failure, r10.toString());
        }
        ProtocolVersion protocolVersion2 = this.clientRequestedVersion;
        int i10 = protocolVersion2.f4281v;
        ProtocolVersion protocolVersion3 = this.enabledProtocols.max;
        ProtocolVersion protocolVersion4 = i10 <= protocolVersion3.f4281v ? protocolVersion2 : protocolVersion3;
        setVersion(protocolVersion4);
        serverHello.protocolVersion = this.protocolVersion;
        this.clnt_random = clientHello.clnt_random;
        RandomCookie randomCookie = new RandomCookie(this.sslContext.getSecureRandom());
        this.svr_random = randomCookie;
        serverHello.svr_random = randomCookie;
        HandshakeMessage handshakeMessage = null;
        this.session = null;
        if (clientHello.sessionId.length() != 0 && (sSLSessionImpl = (SSLSessionImpl) ((SSLSessionContextImpl) this.sslContext.engineGetServerSessionContext()).getSession(clientHello.sessionId.getId())) != null) {
            boolean isRejoinable = sSLSessionImpl.isRejoinable();
            this.resumingSession = isRejoinable;
            if (isRejoinable && sSLSessionImpl.getProtocolVersion() != this.protocolVersion) {
                this.resumingSession = false;
            }
            if (this.resumingSession && this.doClientAuth == 2) {
                try {
                    sSLSessionImpl.getPeerPrincipal();
                } catch (SSLPeerUnverifiedException unused) {
                    this.resumingSession = false;
                }
            }
            if (this.resumingSession) {
                CipherSuite suite = sSLSessionImpl.getSuite();
                if (isNegotiable(suite) && clientHello.getCipherSuites().contains(suite)) {
                    setCipherSuite(suite);
                } else {
                    this.resumingSession = false;
                }
            }
            if (this.resumingSession) {
                this.session = sSLSessionImpl;
                if (Handshaker.debug != null && (Debug.isOn("handshake") || Debug.isOn("session"))) {
                    PrintStream printStream = System.out;
                    StringBuilder r11 = d.r("%% Resuming ");
                    r11.append(this.session);
                    printStream.println(r11.toString());
                }
            }
        }
        if (this.session == null) {
            if (!this.enableNewSession) {
                throw new SSLException("Client did not resume a session");
            }
            this.supportedCurves = (SupportedEllipticCurvesExtension) clientHello.extensions.get(ExtensionType.EXT_ELLIPTIC_CURVES);
            chooseCipherSuite(clientHello);
            this.session = new SSLSessionImpl(this.protocolVersion, this.cipherSuite, this.sslContext.getSecureRandom(), getHostAddressSE(), getPortSE());
        }
        serverHello.cipherSuite = this.cipherSuite;
        serverHello.sessionId = this.session.getSessionId();
        serverHello.compression_method = this.session.getCompression();
        if (this.secureRenegotiation) {
            serverHello.extensions.add(new RenegotiationInfoExtension(this.clientVerifyData, this.serverVerifyData));
        }
        Debug debug2 = Handshaker.debug;
        if (debug2 != null && Debug.isOn("handshake")) {
            serverHello.print(System.out);
            PrintStream printStream2 = System.out;
            StringBuilder r12 = d.r("Cipher suite:  ");
            r12.append(this.session.getSuite());
            printStream2.println(r12.toString());
        }
        serverHello.write(this.output);
        if (this.resumingSession) {
            calculateConnectionKeys(this.session.getMasterSecret(), this.session.getProtocolVersion());
            sendChangeCipherAndFinish(false);
            return;
        }
        if (this.certs == null) {
            throw new RuntimeException("no certificates");
        }
        HandshakeMessage.CertificateMsg certificateMsg = new HandshakeMessage.CertificateMsg(this.certs);
        this.session.setLocalCertificates(this.certs);
        if (debug2 != null && Debug.isOn("handshake")) {
            certificateMsg.print(System.out);
        }
        certificateMsg.write(this.output);
        int i11 = AnonymousClass1.$SwitchMap$cn$com$infosec$mobile$gm$tls$CipherSuite$KeyExchange[this.keyExchange.ordinal()];
        if (i11 != 1) {
            if (i11 != 2) {
                StringBuilder r13 = d.r("internal error: ");
                r13.append(this.keyExchange);
                throw new RuntimeException(r13.toString());
            }
            try {
                sM2_ServerKeyExchange = new HandshakeMessage.ECDH_ServerKeyExchange(protocolVersion4, this.ecdh, this.clnt_random.random_bytes, this.svr_random.random_bytes, this.sslContext);
            } catch (GeneralSecurityException e10) {
                Handshaker.throwSSLException("Error generating ECDH server key exchange", e10);
            }
        } else {
            if (this.sslContext.getEncStore() == null || this.sslContext.getEncStore().getCert() == null || this.sslContext.getEncStore().getPriKey() == null) {
                throw new SSLException("MUST set a valid encypt keystore");
            }
            try {
                sM2_ServerKeyExchange = new HandshakeMessage.SM2_ServerKeyExchange(protocolVersion4, this.clnt_random.random_bytes, this.svr_random.random_bytes, this.sslContext);
            } catch (GeneralSecurityException e11) {
                Handshaker.throwSSLException("Error generating ECC server key exchange", e11);
            }
        }
        handshakeMessage = sM2_ServerKeyExchange;
        if (handshakeMessage != null) {
            if (Handshaker.debug != null && Debug.isOn("handshake")) {
                handshakeMessage.print(System.out);
            }
            handshakeMessage.write(this.output);
        }
        if (this.doClientAuth != 0) {
            HandshakeMessage.CertificateRequest certificateRequest = new HandshakeMessage.CertificateRequest(this.sslContext.getTrustStore().getTrustCerts(), this.keyExchange);
            if (Handshaker.debug != null && Debug.isOn("handshake")) {
                certificateRequest.print(System.out);
            }
            certificateRequest.write(this.output);
        }
        HandshakeMessage.ServerHelloDone serverHelloDone = new HandshakeMessage.ServerHelloDone();
        if (Handshaker.debug != null && Debug.isOn("handshake")) {
            serverHelloDone.print(System.out);
        }
        serverHelloDone.write(this.output);
        this.output.flush();
    }

    private SecretKey clientKeyExchange(DHClientKeyExchange dHClientKeyExchange) throws IOException {
        if (Handshaker.debug != null && Debug.isOn("handshake")) {
            dHClientKeyExchange.print(System.out);
        }
        return this.dh.getAgreedSecret(dHClientKeyExchange.getClientPublicKey());
    }

    private byte[] clientKeyExchange(ECDHClientKeyExchange eCDHClientKeyExchange) throws IOException {
        if (Handshaker.debug != null && Debug.isOn("handshake")) {
            eCDHClientKeyExchange.print(System.out);
        }
        byte[] encodedPoint = eCDHClientKeyExchange.getEncodedPoint();
        byte[] bArr = null;
        if (this.session.getPeerCertificates().length >= 2) {
            try {
                bArr = CipherUtil.sm2PublicKeyToByte(this.session.getPeerCertificates()[1].getPublicKey());
            } catch (Exception e10) {
                fatalSE(Alerts.alert_bad_certificate, e10);
            }
        } else if (this.protocolVersion.f4281v == ProtocolVersion.TLS11.f4281v) {
            byte[] bArr2 = new byte[65];
            bArr = new byte[65];
            System.arraycopy(encodedPoint, 0, bArr, 0, 65);
            System.arraycopy(encodedPoint, 65, bArr2, 0, 65);
            encodedPoint = bArr2;
        } else {
            fatalSE(Alerts.alert_bad_certificate, "encrypt cert MUST be present.");
            encodedPoint = null;
        }
        return this.ecdh.getAgreedSecretByServer(this.protocolVersion, encodedPoint, bArr);
    }

    private byte[] clientKeyExchange(SM2ClientKeyExchange sM2ClientKeyExchange) throws IOException {
        if (Handshaker.debug != null && Debug.isOn("handshake")) {
            sM2ClientKeyExchange.print(System.out);
        }
        return sM2ClientKeyExchange.preMaster;
    }

    private void sendChangeCipherAndFinish(boolean z10) throws IOException {
        this.output.flush();
        HandshakeMessage.Finished finished = new HandshakeMessage.Finished(this.protocolVersion, this.handshakeHash, 2, this.session.getMasterSecret());
        sendChangeCipherSpec(finished, z10);
        if (this.secureRenegotiation) {
            this.serverVerifyData = finished.getVerifyData();
        }
        if (z10) {
            this.state = 20;
        }
    }

    private void setupEphemeralDHKeys(boolean z10) {
        this.dh = new DHCrypt(z10 ? 512 : 768, this.sslContext.getSecureRandom());
    }

    private boolean setupEphemeralECDHKeys() {
        this.ecdh = new ECDHCrypt();
        return true;
    }

    private boolean setupPrivateKeyAndChain() {
        if (this.sslContext.getSignStore() == null || this.sslContext.getSignStore().getHsm() == null || this.sslContext.getSignStore().getPriKey() == null || this.sslContext.getSignStore().getCert() == null) {
            return false;
        }
        this.signKeystore = this.sslContext.getSignStore();
        if (this.sslContext.getEncStore() == null || this.sslContext.getEncStore().getHsm() == null || this.sslContext.getEncStore().getPriKey() == null || this.sslContext.getEncStore().getCert() == null) {
            this.certs = new X509Certificate[]{this.signKeystore.getCert()};
        } else {
            this.encKeyStore = this.sslContext.getEncStore();
            this.certs = new X509Certificate[]{this.signKeystore.getCert(), this.encKeyStore.getCert()};
        }
        return true;
    }

    @Override // cn.com.infosec.mobile.gm.tls.Handshaker
    public HandshakeMessage getKickstartMessage() {
        return new HandshakeMessage.HelloRequest();
    }

    @Override // cn.com.infosec.mobile.gm.tls.Handshaker
    public void handshakeAlert(byte b10) throws SSLProtocolException {
        String alertDescription = Alerts.alertDescription(b10);
        if (Handshaker.debug != null && Debug.isOn("handshake")) {
            System.out.println("SSL -- handshake alert:  " + alertDescription);
        }
        if (b10 != 41 || this.doClientAuth != 1) {
            throw new SSLProtocolException(d.l("handshake alert: ", alertDescription));
        }
    }

    @Override // cn.com.infosec.mobile.gm.tls.Handshaker
    public void processMessage(byte b10, int i10) throws IOException {
        byte[] clientKeyExchange;
        int i11 = this.state;
        if (i11 > b10 && i11 != 16 && b10 != 15) {
            StringBuilder r10 = d.r("Handshake message sequence violation, state = ");
            r10.append(this.state);
            r10.append(", type = ");
            r10.append((int) b10);
            throw new SSLProtocolException(r10.toString());
        }
        if (b10 == 1) {
            clientHello(new HandshakeMessage.ClientHello(this.input, i10));
        } else if (b10 == 11) {
            if (this.doClientAuth == 0) {
                fatalSE((byte) 10, "client sent unsolicited cert chain");
            }
            clientCertificate(new HandshakeMessage.CertificateMsg(this.input));
        } else if (b10 == 20) {
            clientFinished(new HandshakeMessage.Finished(this.protocolVersion, this.input));
        } else if (b10 == 15) {
            clientCertificateVerify(new HandshakeMessage.CertificateVerify(this.input));
        } else {
            if (b10 != 16) {
                throw new SSLProtocolException(a.h("Illegal server handshake msg, ", b10));
            }
            int i12 = AnonymousClass1.$SwitchMap$cn$com$infosec$mobile$gm$tls$CipherSuite$KeyExchange[this.keyExchange.ordinal()];
            if (i12 == 1) {
                clientKeyExchange = clientKeyExchange(new SM2ClientKeyExchange(this.protocolVersion, this.clientRequestedVersion, this.input, i10, this.sslContext.getEncStore()));
            } else {
                if (i12 != 2) {
                    StringBuilder r11 = d.r("Unrecognized key exchange: ");
                    r11.append(this.keyExchange);
                    throw new SSLProtocolException(r11.toString());
                }
                clientKeyExchange = clientKeyExchange(new ECDHClientKeyExchange(this.input));
            }
            calculateKeys(clientKeyExchange, this.clientRequestedVersion);
        }
        if (this.state >= b10 || b10 == 15) {
            return;
        }
        this.state = b10;
    }

    public void setClientAuth(byte b10) {
        this.doClientAuth = b10;
    }

    public boolean trySetCipherSuite(CipherSuite cipherSuite) {
        if (this.resumingSession) {
            return true;
        }
        if (!cipherSuite.isNegotiable()) {
            return false;
        }
        int i10 = AnonymousClass1.$SwitchMap$cn$com$infosec$mobile$gm$tls$CipherSuite$KeyExchange[cipherSuite.keyExchange.ordinal()];
        if (i10 != 1) {
            if (i10 != 2) {
                throw new RuntimeException("Unrecognized cipherSuite: " + cipherSuite);
            }
        } else if (!setupPrivateKeyAndChain()) {
            return false;
        }
        if (!setupPrivateKeyAndChain() || !setupEphemeralECDHKeys()) {
            return false;
        }
        setCipherSuite(cipherSuite);
        return true;
    }
}
