package cn.com.infosec.mobile.gm.tls;

import cn.com.infosec.mobile.gm.tls.CipherSuite;
import cn.com.infosec.mobile.gm.tls.HandshakeMessage;
import cn.com.infosec.mobile.gm.tls.crypto.KeyStore;
import cn.com.infosec.mobile.netcert.framework.crypto.CipherUtil;
import cn.com.infosec.mobile.netcert.framework.crypto.IHSM;
import cn.com.infosec.mobile.netcert.framework.crypto.SM2Id;
import com.umeng.analytics.pro.d;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.PrintStream;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLProtocolException;
import javax.security.auth.x500.X500Principal;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes.dex */
public final class ClientHandshaker extends Handshaker {
    private HandshakeMessage.CertificateRequest certRequest;
    private DHCrypt dh;
    private ECDHCrypt ecdh;
    private byte[] ephemeralServerKey;
    private ProtocolVersion maxProtocolVersion;
    private BigInteger serverDH;
    private boolean serverKeyExchangeReceived;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: cn.com.infosec.mobile.gm.tls.ClientHandshaker$1, reason: invalid class name */
    /* loaded from: classes.dex */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] a;

        static {
            int[] iArr = new int[CipherSuite.KeyExchange.values().length];
            a = iArr;
            try {
                iArr[CipherSuite.KeyExchange.K_ECC.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                a[CipherSuite.KeyExchange.K_ECDHE_SM3withSM2.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ClientHandshaker(SSLEngineImpl sSLEngineImpl, SSLContextImpl sSLContextImpl, ProtocolList protocolList, ProtocolVersion protocolVersion, boolean z, boolean z2, byte[] bArr, byte[] bArr2) {
        super(sSLEngineImpl, sSLContextImpl, protocolList, true, true, protocolVersion, z, z2, bArr, bArr2);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ClientHandshaker(SSLSocketImpl sSLSocketImpl, SSLContextImpl sSLContextImpl, ProtocolList protocolList, ProtocolVersion protocolVersion, boolean z, boolean z2, byte[] bArr, byte[] bArr2) {
        super(sSLSocketImpl, sSLContextImpl, protocolList, true, true, protocolVersion, z, z2, bArr, bArr2);
    }

    private void sendChangeCipherAndFinish(boolean z) throws IOException {
        HandshakeMessage.Finished finished = new HandshakeMessage.Finished(this.a, this.j, 1, this.q.c());
        H(finished, z);
        if (this.c) {
            this.d = finished.g();
        }
        this.m = 19;
    }

    private void serverCertificate(HandshakeMessage.CertificateMsg certificateMsg) throws IOException {
        if (Handshaker.x != null && Debug.isOn("handshake")) {
            certificateMsg.c(System.out);
        }
        X509Certificate[] g = certificateMsg.g();
        if (g.length == 0) {
            g((byte) 42, "empty certificate chain");
        }
        try {
            new ArrayList();
            long currentTimeMillis = System.currentTimeMillis();
            X509Certificate[] trustCerts = this.n.getTrustStore().getTrustCerts();
            boolean z = false;
            for (X509Certificate x509Certificate : g) {
                if (currentTimeMillis < x509Certificate.getNotBefore().getTime() || x509Certificate.getNotAfter().getTime() < currentTimeMillis) {
                    throw new CertificateException("cert [" + x509Certificate.getSerialNumber().toString(16) + "] expired");
                }
            }
            if (g.length <= 2) {
                int length = trustCerts.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    X509Certificate x509Certificate2 = trustCerts[i];
                    boolean verify = this.n.getTrustStore().getHsm().verify(g[0].getTBSCertificate(), g[0].getSignature(), x509Certificate2.getPublicKey(), IHSM.SM3withSM2, SM2Id.getVerifyId("CERT"));
                    boolean verify2 = this.n.getTrustStore().getHsm().verify(g[1].getTBSCertificate(), g[1].getSignature(), x509Certificate2.getPublicKey(), IHSM.SM3withSM2, SM2Id.getVerifyId("CERT"));
                    if (verify && verify2) {
                        z = true;
                        break;
                    }
                    i++;
                }
                if (!z) {
                    throw new CertificateException("server cert  is NOT tursted");
                }
                this.q.n(g);
                return;
            }
            boolean z2 = false;
            for (X509Certificate x509Certificate3 : (X509Certificate[]) Arrays.copyOfRange(g, 2, g.length)) {
                for (X509Certificate x509Certificate4 : trustCerts) {
                    if (x509Certificate4.getSerialNumber().equals(x509Certificate3.getSerialNumber()) && x509Certificate4.getSubjectDN().equals(x509Certificate3.getSubjectDN())) {
                        z2 = true;
                    }
                }
            }
            if (!z2) {
                throw new CertificateException("server cert  is NOT tursted");
            }
            this.q.n(g);
        } catch (Exception e) {
            i((byte) 46, e);
        }
    }

    private void serverFinished(HandshakeMessage.Finished finished) throws IOException {
        Debug debug = Handshaker.x;
        if (debug != null && Debug.isOn("handshake")) {
            finished.c(System.out);
        }
        if (!finished.h(this.a, this.j, 2, this.q.c())) {
            g((byte) 47, "server 'finished' message doesn't verify");
        }
        if (this.c) {
            this.e = finished.g();
        }
        if (this.u) {
            this.k.a();
            sendChangeCipherAndFinish(true);
        }
        this.q.j(System.currentTimeMillis());
        if (this.u) {
            return;
        }
        if (!this.q.h()) {
            if (debug == null || !Debug.isOn(d.aC)) {
                return;
            }
            System.out.println("%% Didn't cache non-resumable client session: " + this.q);
            return;
        }
        ((SSLSessionContextImpl) this.n.a()).c(this.q);
        if (debug == null || !Debug.isOn(d.aC)) {
            return;
        }
        System.out.println("%% Cached client session: " + this.q);
    }

    private void serverHello(HandshakeMessage.ServerHello serverHello) throws IOException {
        this.serverKeyExchangeReceived = false;
        Debug debug = Handshaker.x;
        if (debug != null && Debug.isOn("handshake")) {
            serverHello.c(System.out);
        }
        ProtocolVersion protocolVersion = serverHello.p;
        if (!this.g.a(protocolVersion)) {
            throw new SSLHandshakeException("Server chose unsupported or disabled protocol: " + protocolVersion);
        }
        L(protocolVersion);
        RenegotiationInfoExtension renegotiationInfoExtension = (RenegotiationInfoExtension) serverHello.u.b(ExtensionType.p);
        if (renegotiationInfoExtension != null) {
            if (this.f) {
                if (!renegotiationInfoExtension.d()) {
                    g((byte) 40, "The renegotiation_info field is not empty");
                }
                this.c = true;
            } else {
                if (!this.c) {
                    g((byte) 40, "Unexpected renegotiation indication extension");
                }
                byte[] bArr = this.d;
                byte[] bArr2 = new byte[bArr.length + this.e.length];
                System.arraycopy(bArr, 0, bArr2, 0, bArr.length);
                byte[] bArr3 = this.e;
                System.arraycopy(bArr3, 0, bArr2, this.d.length, bArr3.length);
                if (!Arrays.equals(bArr2, renegotiationInfoExtension.c())) {
                    g((byte) 40, "Incorrect verify data in ServerHello renegotiation_info message");
                }
            }
        } else if (this.f) {
            if (!Handshaker.z) {
                g((byte) 40, "Failed to negotiate the use of secure renegotiation");
            }
            this.c = false;
            if (debug != null && Debug.isOn("handshake")) {
                System.out.println("Warning: No renegotiation indication extension in ServerHello");
            }
        } else if (this.c) {
            g((byte) 40, "No renegotiation indication extension");
        }
        this.p = serverHello.q;
        if (!x(serverHello.s)) {
            g((byte) 47, "Server selected improper ciphersuite " + this.s);
        }
        if (serverHello.s.d.equals(CipherSuite.KeyExchange.K_ECDHE_SM3withSM2) && this.n.getEncStore() == null) {
            g((byte) 40, "ECDHE key exchange, client enc Store is REQUIRED.");
        }
        I(serverHello.s);
        if (serverHello.t != 0) {
            g((byte) 47, "compression type not supported, " + ((int) serverHello.t));
        }
        SSLSessionImpl sSLSessionImpl = this.q;
        if (sSLSessionImpl != null) {
            if (sSLSessionImpl.e().equals(serverHello.r)) {
                if (this.s != this.q.f()) {
                    throw new SSLProtocolException("Server returned wrong cipher suite for session");
                }
                if (this.a != this.q.d()) {
                    throw new SSLProtocolException("Server resumed session with wrong protocol version");
                }
                this.u = true;
                this.m = 19;
                d(this.q.c(), this.q.d());
                if (debug == null || !Debug.isOn(d.aC)) {
                    return;
                }
                System.out.println("%% Server resumed " + this.q);
                return;
            }
            this.q = null;
            if (!this.v) {
                throw new SSLException("New session creation is disabled");
            }
        }
        Iterator<HelloExtension> it = serverHello.u.d().iterator();
        while (it.hasNext()) {
            ExtensionType extensionType = it.next().a;
            if (extensionType != ExtensionType.l && extensionType != ExtensionType.m && extensionType != ExtensionType.p) {
                g((byte) 110, "Server sent an unsupported extension: " + extensionType);
            }
        }
        this.q = new SSLSessionImpl(this.a, this.s, serverHello.r, m(), q());
        if (Handshaker.x == null || !Debug.isOn("handshake")) {
            return;
        }
        System.out.println("** " + this.s);
    }

    private void serverHelloDone(HandshakeMessage.ServerHelloDone serverHelloDone) throws IOException {
        KeyStore keyStore;
        HandshakeMessage sM2ClientKeyExchange;
        byte[] bArr;
        KeyStore keyStore2;
        HandshakeMessage.CertificateMsg certificateMsg;
        X509Certificate[] x509CertificateArr;
        if (Handshaker.x != null && Debug.isOn("handshake")) {
            serverHelloDone.c(System.out);
        }
        this.k.a();
        HandshakeMessage.CertificateVerify certificateVerify = null;
        if (this.certRequest != null) {
            ArrayList arrayList = new ArrayList(4);
            int i = 0;
            while (true) {
                byte[] bArr2 = this.certRequest.p;
                int length = bArr2.length;
                String str = IHSM.EC;
                if (i >= length) {
                    break;
                }
                if (bArr2[i] != 64) {
                    str = null;
                }
                if (str != null && !arrayList.contains(str)) {
                    arrayList.add(str);
                }
                i++;
            }
            if (arrayList.contains(IHSM.EC)) {
                X500Principal[] g = this.certRequest.g();
                keyStore2 = this.n.getSignStore();
                if (keyStore2 != null) {
                    X509Certificate cert = keyStore2.getCert();
                    for (X500Principal x500Principal : g) {
                        if (cert != null && cert.getIssuerX500Principal().equals(x500Principal)) {
                            if (this.n.getEncStore() == null || this.n.getEncStore().getCert() == null || !this.n.getEncStore().getCert().getIssuerX500Principal().equals(x500Principal)) {
                                g((byte) 41, "NO encrypt cert found");
                                x509CertificateArr = null;
                            } else {
                                x509CertificateArr = new X509Certificate[]{cert, this.n.getEncStore().getCert()};
                            }
                            certificateMsg = new HandshakeMessage.CertificateMsg(x509CertificateArr);
                            this.q.k(x509CertificateArr);
                        }
                    }
                }
                certificateMsg = null;
            } else {
                keyStore2 = null;
                certificateMsg = null;
            }
            if (certificateMsg == null) {
                if (this.a.a >= ProtocolVersion.h.a) {
                    certificateMsg = new HandshakeMessage.CertificateMsg(new X509Certificate[0]);
                } else {
                    P((byte) 41);
                }
            }
            if (certificateMsg != null) {
                if (Handshaker.x != null && Debug.isOn("handshake")) {
                    certificateMsg.c(System.out);
                }
                certificateMsg.f(this.l);
            }
            keyStore = keyStore2;
        } else {
            keyStore = null;
        }
        int[] iArr = AnonymousClass1.a;
        int i2 = iArr[this.t.ordinal()];
        if (i2 == 1) {
            sM2ClientKeyExchange = new SM2ClientKeyExchange(this.a, this.maxProtocolVersion, this.n.f(), this.q.getPeerCertificateChain_GM()[1].getPublicKey(), this.n.getEncStore());
        } else {
            if (i2 != 2) {
                throw new RuntimeException("Unsupported key exchange: " + this.t);
            }
            this.ecdh = new ECDHCrypt();
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            KeyStore encStore = this.n.getEncStore();
            try {
                byte[] priKey = encStore.getPriKey();
                byte[] sm2PublicKeyToByte = CipherUtil.sm2PublicKeyToByte(encStore.getCert().getPublicKey());
                this.ecdh.f(priKey);
                this.ecdh.g(sm2PublicKeyToByte);
                byteArrayOutputStream.write(this.ecdh.e());
                sM2ClientKeyExchange = new ECDHClientKeyExchange(byteArrayOutputStream.toByteArray());
            } catch (Exception e) {
                throw new IOException("Internal cryptoException in make client ECDHE", e);
            }
        }
        if (Handshaker.x != null && Debug.isOn("handshake")) {
            sM2ClientKeyExchange.c(System.out);
        }
        sM2ClientKeyExchange.f(this.l);
        this.l.a();
        this.l.flush();
        int i3 = iArr[this.t.ordinal()];
        if (i3 == 1) {
            bArr = ((SM2ClientKeyExchange) sM2ClientKeyExchange).p;
        } else {
            if (i3 != 2) {
                throw new IOException("Internal error: unknown key exchange " + this.t);
            }
            try {
                bArr = this.ecdh.a(this.a, this.ephemeralServerKey, CipherUtil.sm2PublicKeyToByte(this.q.getPeerCertificates()[1].getPublicKey()));
            } catch (Exception e2) {
                throw new IOException("Interal cryptoException in ECDHE agreed", e2);
            }
        }
        e(bArr, this.a);
        if (keyStore != null) {
            try {
                certificateVerify = new HandshakeMessage.CertificateVerify(this.a, this.j, keyStore, this.q.c(), this.n.f());
            } catch (GeneralSecurityException e3) {
                h((byte) 40, "Error signing certificate verify", e3);
            }
            if (Handshaker.x != null && Debug.isOn("handshake")) {
                certificateVerify.c(System.out);
            }
            certificateVerify.f(this.l);
            this.l.a();
        }
        sendChangeCipherAndFinish(false);
    }

    private void serverHelloRequest(HandshakeMessage.HelloRequest helloRequest) throws IOException {
        Debug debug = Handshaker.x;
        if (debug != null && Debug.isOn("handshake")) {
            helloRequest.c(System.out);
        }
        if (this.m < 1) {
            boolean z = this.c;
            if (z || Handshaker.y) {
                if (!z && debug != null && Debug.isOn("handshake")) {
                    System.out.println("Warning: continue with insecure renegotiation");
                }
                z();
                return;
            }
            if (this.b.a < ProtocolVersion.h.a) {
                g((byte) 40, "Renegotiation is not allowed");
            } else {
                P((byte) 100);
                this.w = true;
            }
        }
    }

    private void serverKeyExchange(HandshakeMessage.DH_ServerKeyExchange dH_ServerKeyExchange) throws IOException {
        if (Handshaker.x != null && Debug.isOn("handshake")) {
            dH_ServerKeyExchange.c(System.out);
        }
        this.dh = new DHCrypt(dH_ServerKeyExchange.h(), dH_ServerKeyExchange.g(), this.n.f());
        this.serverDH = dH_ServerKeyExchange.i();
    }

    private void serverKeyExchange(HandshakeMessage.ECDH_ServerKeyExchange eCDH_ServerKeyExchange) throws IOException {
        if (Handshaker.x != null && Debug.isOn("handshake")) {
            eCDH_ServerKeyExchange.c(System.out);
        }
        this.ephemeralServerKey = eCDH_ServerKeyExchange.g();
    }

    private void serverKeyExchange(HandshakeMessage.SM2_ServerKeyExchange sM2_ServerKeyExchange) throws IOException, GeneralSecurityException {
        if (Handshaker.x != null && Debug.isOn("handshake")) {
            sM2_ServerKeyExchange.c(System.out);
        }
        if (this.q.getPeerCertificates().length > 1) {
            sM2_ServerKeyExchange.g(this.q.getPeerCertificates()[0].getPublicKey(), this.o, this.p, this.q.getPeerCertificates()[1]);
        }
    }

    @Override // cn.com.infosec.mobile.gm.tls.Handshaker
    void F(byte b, int i) throws IOException {
        int i2 = this.m;
        if (i2 > b && b != 0 && i2 != 1) {
            throw new SSLProtocolException("Handshake message sequence violation, " + ((int) b));
        }
        if (b == 0) {
            serverHelloRequest(new HandshakeMessage.HelloRequest(this.k));
        } else if (b == 2) {
            serverHello(new HandshakeMessage.ServerHello(this.k, i));
        } else if (b != 20) {
            switch (b) {
                case 11:
                    serverCertificate(new HandshakeMessage.CertificateMsg(this.k));
                    break;
                case 12:
                    this.serverKeyExchangeReceived = true;
                    int i3 = AnonymousClass1.a[this.t.ordinal()];
                    if (i3 == 1) {
                        try {
                            serverKeyExchange(new HandshakeMessage.SM2_ServerKeyExchange(this.k));
                            break;
                        } catch (GeneralSecurityException e) {
                            Handshaker.O("Server key", e);
                            break;
                        }
                    } else {
                        if (i3 != 2) {
                            throw new SSLProtocolException("unsupported key exchange algorithm = " + this.t);
                        }
                        try {
                            serverKeyExchange(new HandshakeMessage.ECDH_ServerKeyExchange(this.k, this.q.getPeerCertificateChain_GM()[0].getPublicKey(), this.o.a, this.p.a));
                            break;
                        } catch (GeneralSecurityException e2) {
                            Handshaker.O("Server key", e2);
                            break;
                        }
                    }
                case 13:
                    this.certRequest = new HandshakeMessage.CertificateRequest(this.k);
                    if (Handshaker.x != null && Debug.isOn("handshake")) {
                        this.certRequest.c(System.out);
                        break;
                    }
                    break;
                case 14:
                    serverHelloDone(new HandshakeMessage.ServerHelloDone(this.k));
                    break;
                default:
                    throw new SSLProtocolException("Illegal client handshake msg, " + ((int) b));
            }
        } else {
            serverFinished(new HandshakeMessage.Finished(this.a, this.k));
        }
        if (this.m < b) {
            this.m = b;
        }
    }

    @Override // cn.com.infosec.mobile.gm.tls.Handshaker
    HandshakeMessage o() throws SSLException {
        SessionID e = SSLSessionImpl.a.e();
        CipherSuiteList cipherSuiteList = this.r;
        this.maxProtocolVersion = this.a;
        this.q = ((SSLSessionContextImpl) this.n.a()).a(m(), q());
        Debug debug = Handshaker.x;
        if (debug != null && Debug.isOn(d.aC)) {
            if (this.q != null) {
                PrintStream printStream = System.out;
                StringBuilder sb = new StringBuilder();
                sb.append("%% Client cached ");
                sb.append(this.q);
                sb.append(this.q.h() ? "" : " (not rejoinable)");
                printStream.println(sb.toString());
            } else {
                System.out.println("%% No cached client session");
            }
        }
        SSLSessionImpl sSLSessionImpl = this.q;
        if (sSLSessionImpl != null && !sSLSessionImpl.h()) {
            this.q = null;
        }
        SSLSessionImpl sSLSessionImpl2 = this.q;
        if (sSLSessionImpl2 != null) {
            CipherSuite f = sSLSessionImpl2.f();
            ProtocolVersion d = this.q.d();
            if (!x(f)) {
                if (debug != null && Debug.isOn(d.aC)) {
                    System.out.println("%% can't resume, unavailable cipher");
                }
                this.q = null;
            }
            if (this.q != null && !this.g.a(d)) {
                if (debug != null && Debug.isOn(d.aC)) {
                    System.out.println("%% can't resume, protocol disabled");
                }
                this.q = null;
            }
            if (this.q != null) {
                if (debug != null && (Debug.isOn("handshake") || Debug.isOn(d.aC))) {
                    System.out.println("%% Try resuming " + this.q + " from port " + p());
                }
                e = this.q.e();
                this.maxProtocolVersion = d;
                L(d);
            }
            if (!this.v) {
                if (this.q == null) {
                    throw new SSLException("Can't reuse existing SSL client session");
                }
                ArrayList arrayList = new ArrayList(2);
                arrayList.add(f);
                if (!this.c) {
                    CipherSuite cipherSuite = CipherSuite.r;
                    if (cipherSuiteList.c(cipherSuite)) {
                        arrayList.add(cipherSuite);
                    }
                }
                cipherSuiteList = new CipherSuiteList(arrayList);
            }
        }
        if (this.q == null && !this.v) {
            throw new SSLException("No existing session to resume");
        }
        boolean z = true;
        if (this.c && cipherSuiteList.c(CipherSuite.r)) {
            ArrayList arrayList2 = new ArrayList(cipherSuiteList.i() - 1);
            for (CipherSuite cipherSuite2 : cipherSuiteList.b()) {
                if (cipherSuite2 != CipherSuite.r) {
                    arrayList2.add(cipherSuite2);
                }
            }
            cipherSuiteList = new CipherSuiteList(arrayList2);
        }
        Iterator<CipherSuite> it = cipherSuiteList.b().iterator();
        while (true) {
            if (!it.hasNext()) {
                z = false;
                break;
            }
            if (x(it.next())) {
                break;
            }
        }
        if (!z) {
            throw new SSLException("No negotiable cipher suite");
        }
        HandshakeMessage.ClientHello clientHello = new HandshakeMessage.ClientHello(this.n.f(), this.maxProtocolVersion, e, cipherSuiteList);
        this.o = clientHello.q;
        if (this.c || !cipherSuiteList.c(CipherSuite.r)) {
            clientHello.g(this.d);
        }
        return clientHello;
    }

    @Override // cn.com.infosec.mobile.gm.tls.Handshaker
    void u(byte b) throws SSLProtocolException {
        String a = Alerts.a(b);
        if (Handshaker.x != null && Debug.isOn("handshake")) {
            System.out.println("SSL - handshake alert: " + a);
        }
        throw new SSLProtocolException("handshake alert:  " + a);
    }
}
