package cn.com.infosec.mobile.gm.tls;

import cn.com.infosec.mobile.gm.tls.CipherSuite;
import cn.com.infosec.mobile.gm.tls.HandshakeMessage;
import cn.com.infosec.mobile.gm.tls.crypto.KeyStore;
import cn.com.infosec.mobile.netcert.framework.crypto.CipherUtil;
import cn.com.infosec.mobile.netcert.framework.crypto.SM2Id;
import cn.com.infosec.mobile.netcert.framework.crypto.impl.SoftImpl;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import javax.crypto.SecretKey;
import javax.net.ssl.SSLProtocolException;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes.dex */
public final class ServerHandshaker extends Handshaker {
    private X509Certificate[] certs;
    private ProtocolVersion clientRequestedVersion;
    private DHCrypt dh;
    private byte doClientAuth;
    private ECDHCrypt ecdh;
    private KeyStore encKeyStore;
    private boolean needClientVerify;
    private KeyStore signKeystore;
    private SupportedEllipticCurvesExtension supportedCurves;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: cn.com.infosec.mobile.gm.tls.ServerHandshaker$1, reason: invalid class name */
    /* loaded from: classes.dex */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$cn$com$infosec$mobile$gm$tls$CipherSuite$KeyExchange = new int[CipherSuite.KeyExchange.values().length];

        static {
            try {
                $SwitchMap$cn$com$infosec$mobile$gm$tls$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_ECC.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                $SwitchMap$cn$com$infosec$mobile$gm$tls$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_ECDHE_SM3withSM2.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ServerHandshaker(SSLEngineImpl sSLEngineImpl, SSLContextImpl sSLContextImpl, ProtocolList protocolList, byte b, ProtocolVersion protocolVersion, boolean z, boolean z2, byte[] bArr, byte[] bArr2) {
        super(sSLEngineImpl, sSLContextImpl, protocolList, b != 0, false, protocolVersion, z, z2, bArr, bArr2);
        this.needClientVerify = false;
        this.doClientAuth = b;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ServerHandshaker(SSLSocketImpl sSLSocketImpl, SSLContextImpl sSLContextImpl, ProtocolList protocolList, byte b, ProtocolVersion protocolVersion, boolean z, boolean z2, byte[] bArr, byte[] bArr2) {
        super(sSLSocketImpl, sSLContextImpl, protocolList, b != 0, false, protocolVersion, z, z2, bArr, bArr2);
        this.needClientVerify = false;
        this.doClientAuth = b;
    }

    private void chooseCipherSuite(HandshakeMessage.ClientHello clientHello) throws IOException {
        for (CipherSuite cipherSuite : clientHello.getCipherSuites().collection()) {
            if (isNegotiable(cipherSuite) && (this.doClientAuth != 0 || cipherSuite.keyExchange != CipherSuite.KeyExchange.K_ECDHE_SM3withSM2)) {
                if (trySetCipherSuite(cipherSuite)) {
                    return;
                }
            }
        }
        fatalSE((byte) 40, "no cipher suites in common");
    }

    private void clientCertificate(HandshakeMessage.CertificateMsg certificateMsg) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            certificateMsg.print(System.out);
        }
        X509Certificate[] certificateChain = certificateMsg.getCertificateChain();
        if (certificateChain.length < 2) {
            if (this.doClientAuth == 1) {
                return;
            } else {
                fatalSE((byte) 42, "null cert chain");
            }
        }
        try {
            X509Certificate[] trustCerts = this.sslContext.getTrustStore().getTrustCerts();
            SoftImpl softImpl = new SoftImpl();
            int length = trustCerts.length;
            boolean z = false;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                X509Certificate x509Certificate = trustCerts[i];
                if (softImpl.verify(certificateChain[0].getTBSCertificate(), certificateChain[0].getSignature(), x509Certificate.getPublicKey(), "SM3withSM2", SM2Id.getVerifyId("CERT")) && softImpl.verify(certificateChain[1].getTBSCertificate(), certificateChain[1].getSignature(), x509Certificate.getPublicKey(), "SM3withSM2", SM2Id.getVerifyId("CERT"))) {
                    z = true;
                    break;
                }
                i++;
            }
            if (!z) {
                fatalSE((byte) 46, "peer cert is NOT trusted");
            }
        } catch (Exception e) {
            fatalSE((byte) 46, e);
        }
        this.needClientVerify = true;
        this.session.setPeerCertificates(certificateChain);
    }

    private void clientCertificateVerify(HandshakeMessage.CertificateVerify certificateVerify) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            certificateVerify.print(System.out);
        }
        try {
            if (!certificateVerify.verify(this.protocolVersion, this.handshakeHash, this.session.getPeerCertificates()[0].getPublicKey(), this.session.getMasterSecret())) {
                fatalSE((byte) 42, "certificate verify message signature error");
            }
        } catch (GeneralSecurityException e) {
            fatalSE((byte) 42, "certificate verify format error", e);
        }
        this.needClientVerify = false;
    }

    private void clientFinished(HandshakeMessage.Finished finished) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            finished.print(System.out);
        }
        if (this.doClientAuth == 2) {
            this.session.getPeerPrincipal();
        }
        if (this.needClientVerify) {
            fatalSE((byte) 40, "client did not send certificate verify message");
        }
        if (!finished.verify(this.protocolVersion, this.handshakeHash, 1, this.session.getMasterSecret())) {
            fatalSE((byte) 40, "client 'finished' message doesn't verify");
        }
        if (this.secureRenegotiation) {
            this.clientVerifyData = finished.getVerifyData();
        }
        if (!this.resumingSession) {
            this.input.digestNow();
            sendChangeCipherAndFinish(true);
        }
        this.session.setLastAccessedTime(System.currentTimeMillis());
        if (this.resumingSession || !this.session.isRejoinable()) {
            if (this.resumingSession || debug == null || !Debug.isOn("session")) {
                return;
            }
            System.out.println("%% Didn't cache non-resumable server session: " + this.session);
            return;
        }
        ((SSLSessionContextImpl) this.sslContext.engineGetServerSessionContext()).put(this.session);
        if (debug == null || !Debug.isOn("session")) {
            return;
        }
        System.out.println("%% Cached server session: " + this.session);
    }

    /* JADX WARN: Removed duplicated region for block: B:107:0x0338  */
    /* JADX WARN: Removed duplicated region for block: B:115:0x0366  */
    /* JADX WARN: Removed duplicated region for block: B:99:0x0320  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void clientHello(cn.com.infosec.mobile.gm.tls.HandshakeMessage.ClientHello r15) throws java.io.IOException {
        /*
            Method dump skipped, instructions count: 908
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: cn.com.infosec.mobile.gm.tls.ServerHandshaker.clientHello(cn.com.infosec.mobile.gm.tls.HandshakeMessage$ClientHello):void");
    }

    private SecretKey clientKeyExchange(DHClientKeyExchange dHClientKeyExchange) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            dHClientKeyExchange.print(System.out);
        }
        return this.dh.getAgreedSecret(dHClientKeyExchange.getClientPublicKey());
    }

    private byte[] clientKeyExchange(ECDHClientKeyExchange eCDHClientKeyExchange) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            eCDHClientKeyExchange.print(System.out);
        }
        byte[] encodedPoint = eCDHClientKeyExchange.getEncodedPoint();
        byte[] bArr = null;
        if (this.session.getPeerCertificates().length >= 2) {
            try {
                bArr = CipherUtil.sm2PublicKeyToByte(this.session.getPeerCertificates()[1].getPublicKey());
            } catch (Exception e) {
                fatalSE((byte) 42, e);
            }
        } else if (this.protocolVersion.v == ProtocolVersion.TLS11.v) {
            byte[] bArr2 = new byte[65];
            bArr = new byte[65];
            System.arraycopy(encodedPoint, 0, bArr, 0, bArr.length);
            System.arraycopy(encodedPoint, bArr.length, bArr2, 0, bArr2.length);
            encodedPoint = bArr2;
        } else {
            fatalSE((byte) 42, "encrypt cert MUST be present.");
            encodedPoint = null;
        }
        return this.ecdh.getAgreedSecretByServer(this.protocolVersion, encodedPoint, bArr);
    }

    private byte[] clientKeyExchange(SM2ClientKeyExchange sM2ClientKeyExchange) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            sM2ClientKeyExchange.print(System.out);
        }
        return sM2ClientKeyExchange.preMaster;
    }

    private void sendChangeCipherAndFinish(boolean z) throws IOException {
        this.output.flush();
        HandshakeMessage.Finished finished = new HandshakeMessage.Finished(this.protocolVersion, this.handshakeHash, 2, this.session.getMasterSecret());
        sendChangeCipherSpec(finished, z);
        if (this.secureRenegotiation) {
            this.serverVerifyData = finished.getVerifyData();
        }
        if (z) {
            this.state = 20;
        }
    }

    private void setupEphemeralDHKeys(boolean z) {
        this.dh = new DHCrypt(z ? 512 : 768, this.sslContext.getSecureRandom());
    }

    private boolean setupEphemeralECDHKeys() {
        this.ecdh = new ECDHCrypt();
        return true;
    }

    private boolean setupPrivateKeyAndChain() {
        if (this.sslContext.getSignStore() == null || this.sslContext.getSignStore().getHsm() == null || this.sslContext.getSignStore().getPriKey() == null || this.sslContext.getSignStore().getCert() == null) {
            return false;
        }
        this.signKeystore = this.sslContext.getSignStore();
        if (this.sslContext.getEncStore() == null || this.sslContext.getEncStore().getHsm() == null || this.sslContext.getEncStore().getPriKey() == null || this.sslContext.getEncStore().getCert() == null) {
            this.certs = new X509Certificate[]{this.signKeystore.getCert()};
        } else {
            this.encKeyStore = this.sslContext.getEncStore();
            this.certs = new X509Certificate[]{this.signKeystore.getCert(), this.encKeyStore.getCert()};
        }
        return true;
    }

    @Override // cn.com.infosec.mobile.gm.tls.Handshaker
    HandshakeMessage getKickstartMessage() {
        return new HandshakeMessage.HelloRequest();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // cn.com.infosec.mobile.gm.tls.Handshaker
    public void handshakeAlert(byte b) throws SSLProtocolException {
        String alertDescription = Alerts.alertDescription(b);
        if (debug != null && Debug.isOn("handshake")) {
            System.out.println("SSL -- handshake alert:  " + alertDescription);
        }
        if (b == 41 && this.doClientAuth == 1) {
            return;
        }
        throw new SSLProtocolException("handshake alert: " + alertDescription);
    }

    @Override // cn.com.infosec.mobile.gm.tls.Handshaker
    void processMessage(byte b, int i) throws IOException {
        byte[] clientKeyExchange;
        if (this.state > b && this.state != 16 && b != 15) {
            throw new SSLProtocolException("Handshake message sequence violation, state = " + this.state + ", type = " + ((int) b));
        }
        if (b == 1) {
            clientHello(new HandshakeMessage.ClientHello(this.input, i));
        } else if (b == 11) {
            if (this.doClientAuth == 0) {
                fatalSE((byte) 10, "client sent unsolicited cert chain");
            }
            clientCertificate(new HandshakeMessage.CertificateMsg(this.input));
        } else if (b == 20) {
            clientFinished(new HandshakeMessage.Finished(this.protocolVersion, this.input));
        } else if (b == 15) {
            clientCertificateVerify(new HandshakeMessage.CertificateVerify(this.input));
        } else {
            if (b != 16) {
                throw new SSLProtocolException("Illegal server handshake msg, " + ((int) b));
            }
            int i2 = AnonymousClass1.$SwitchMap$cn$com$infosec$mobile$gm$tls$CipherSuite$KeyExchange[this.keyExchange.ordinal()];
            if (i2 == 1) {
                clientKeyExchange = clientKeyExchange(new SM2ClientKeyExchange(this.protocolVersion, this.clientRequestedVersion, this.input, i, this.sslContext.getEncStore()));
            } else {
                if (i2 != 2) {
                    throw new SSLProtocolException("Unrecognized key exchange: " + this.keyExchange);
                }
                clientKeyExchange = clientKeyExchange(new ECDHClientKeyExchange(this.input));
            }
            calculateKeys(clientKeyExchange, this.clientRequestedVersion);
        }
        if (this.state >= b || b == 15) {
            return;
        }
        this.state = b;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setClientAuth(byte b) {
        this.doClientAuth = b;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean trySetCipherSuite(CipherSuite cipherSuite) {
        if (this.resumingSession) {
            return true;
        }
        if (!cipherSuite.isNegotiable()) {
            return false;
        }
        int i = AnonymousClass1.$SwitchMap$cn$com$infosec$mobile$gm$tls$CipherSuite$KeyExchange[cipherSuite.keyExchange.ordinal()];
        if (i != 1) {
            if (i != 2) {
                throw new RuntimeException("Unrecognized cipherSuite: " + cipherSuite);
            }
        } else if (!setupPrivateKeyAndChain()) {
            return false;
        }
        if (!setupPrivateKeyAndChain() || !setupEphemeralECDHKeys()) {
            return false;
        }
        setCipherSuite(cipherSuite);
        return true;
    }
}
