package org.bouncycastle.tls;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.net.ssl.X509KeyManager;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.tls.crypto.TlsCertificate;
import org.bouncycastle.tls.crypto.TlsCrypto;
import org.bouncycastle.tls.crypto.TlsCryptoParameters;
import org.bouncycastle.tls.crypto.TlsStreamSigner;
import org.bouncycastle.tls.crypto.TlsVerifier;
import org.bouncycastle.tls.crypto.impl.AbstractTlsCrypto;
import org.bouncycastle.tls.crypto.impl.bc.BcDefaultTlsCredentialedECCSM2;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib-provided/gmssl-jsse-provider-1.3.5-SNAPSHOT.jar:org/bouncycastle/tls/GMSSLUtils.class */
public class GMSSLUtils {
    private static Logger logger = LoggerFactory.getLogger(GMSSLUtils.class.getName());

    public static DefaultTlsCredentialedSigner generateCredentials(String str, AbstractTlsCrypto abstractTlsCrypto, X509KeyManager x509KeyManager, SignatureAndHashAlgorithm signatureAndHashAlgorithm, TlsContext tlsContext) throws IOException {
        String signatureAlias = getSignatureAlias(str, x509KeyManager, abstractTlsCrypto, tlsContext);
        String encryptioneAlias = getEncryptioneAlias(str, x509KeyManager, abstractTlsCrypto, tlsContext);
        List asList = tlsContext.isServer() ? Arrays.asList(x509KeyManager.getServerAliases(str, null)) : Arrays.asList(x509KeyManager.getClientAliases(str, null));
        if (signatureAlias == null) {
            signatureAlias = "sign";
            if (!asList.contains(signatureAlias)) {
                signatureAlias = (String) asList.get(0);
            }
        }
        if (encryptioneAlias == null) {
            encryptioneAlias = "enc";
            if (!asList.contains(encryptioneAlias)) {
                encryptioneAlias = (String) asList.get(1);
            }
        }
        if (signatureAlias == null || encryptioneAlias == null) {
            return null;
        }
        return new BcDefaultTlsCredentialedECCSM2(new TlsCryptoParameters(tlsContext), abstractTlsCrypto, makeGMSSLCertificate(getCertificateMessage(abstractTlsCrypto, x509KeyManager.getCertificateChain(signatureAlias)), getCertificateMessage(abstractTlsCrypto, x509KeyManager.getCertificateChain(encryptioneAlias))), x509KeyManager.getPrivateKey(signatureAlias), x509KeyManager.getPrivateKey(encryptioneAlias), signatureAndHashAlgorithm);
    }

    public static Certificate makeGMSSLCertificate(Certificate certificate, Certificate certificate2) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(certificate.getCertificateAt(0));
        arrayList.add(certificate2.getCertificateAt(0));
        ArrayList arrayList2 = new ArrayList();
        for (int i = 1; i < certificate.getLength(); i++) {
            TlsCertificate certificateAt = certificate.getCertificateAt(i);
            arrayList.add(certificateAt);
            arrayList2.add(certificateAt.getSerialNumber());
        }
        for (int i2 = 1; i2 < certificate2.getLength(); i2++) {
            TlsCertificate certificateAt2 = certificate2.getCertificateAt(i2);
            if (!arrayList2.contains(certificateAt2.getSerialNumber())) {
                arrayList.add(certificateAt2);
            }
        }
        return new Certificate((TlsCertificate[]) arrayList.toArray(new TlsCertificate[arrayList.size()]));
    }

    public static TlsCertificate getSignatureCertificate(Certificate certificate) {
        return certificate.getCertificateAt(0);
    }

    public static TlsCertificate getEncryptionCertificate(Certificate certificate) {
        return certificate.getCertificateAt(1);
    }

    public static String getSignatureAlias(String str, X509KeyManager x509KeyManager, TlsCrypto tlsCrypto, TlsContext tlsContext) throws IOException {
        return getAliasWithKeyUsage(str, 192, x509KeyManager, tlsCrypto, tlsContext);
    }

    public static String getEncryptioneAlias(String str, X509KeyManager x509KeyManager, TlsCrypto tlsCrypto, TlsContext tlsContext) throws IOException {
        return getAliasWithKeyUsage(str, 56, x509KeyManager, tlsCrypto, tlsContext);
    }

    public static String getAliasWithKeyUsage(String str, int i, X509KeyManager x509KeyManager, TlsCrypto tlsCrypto, TlsContext tlsContext) throws IOException {
        KeyUsage fromExtensions;
        String[] serverAliases = tlsContext.isServer() ? x509KeyManager.getServerAliases(str, null) : x509KeyManager.getClientAliases(str, null);
        if (serverAliases == null) {
            throw new IOException("key manager get aliases is null, check your key manager set!");
        }
        if (serverAliases.length == 1) {
            return serverAliases[0];
        }
        if (serverAliases.length != 2) {
            return null;
        }
        for (String str2 : serverAliases) {
            Extensions extensions = org.bouncycastle.asn1.x509.Certificate.getInstance(getCertificateMessage(tlsCrypto, x509KeyManager.getCertificateChain(str2)).getCertificateAt(0).getEncoded()).getTBSCertificate().getExtensions();
            if (extensions != null && (fromExtensions = KeyUsage.fromExtensions(extensions)) != null && (fromExtensions.getBytes()[0] & 255 & i) == i) {
                return str2;
            }
        }
        return null;
    }

    public static Certificate getCertificateMessage(TlsCrypto tlsCrypto, X509Certificate[] x509CertificateArr) throws IOException {
        if (x509CertificateArr == null || x509CertificateArr.length < 1) {
            return Certificate.EMPTY_CHAIN;
        }
        TlsCertificate[] tlsCertificateArr = new TlsCertificate[x509CertificateArr.length];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            try {
                tlsCertificateArr[i] = tlsCrypto.createCertificate(x509CertificateArr[i].getEncoded());
            } catch (CertificateEncodingException e) {
                throw new TlsFatalAlert((short) 80, e);
            }
        }
        return new Certificate(tlsCertificateArr);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] generateECCSM2ServerKeyExchangeSignature(TlsContext tlsContext, TlsCredentialedSigner tlsCredentialedSigner, TlsCertificate tlsCertificate) throws IOException {
        return tlsCredentialedSigner.generateRawSignature(calculateSignatureECCSM2(tlsContext, tlsCertificate));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void verifyECCSM2ServerKeyExchangeSignature(TlsContext tlsContext, TlsVerifier tlsVerifier, DigitallySigned digitallySigned, TlsCertificate tlsCertificate) throws IOException {
        boolean verifyRawSignature = tlsVerifier.verifyRawSignature(digitallySigned, calculateSignatureECCSM2(tlsContext, tlsCertificate));
        if (verifyRawSignature) {
            return;
        }
        logger.error("verifyServerKeyExchangeSignature: verified {}", Boolean.valueOf(verifyRawSignature));
        throw new TlsFatalAlert((short) 51);
    }

    static byte[] calculateSignatureECCSM2(TlsContext tlsContext, TlsCertificate tlsCertificate) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        SecurityParameters securityParameters = tlsContext.getSecurityParameters();
        byteArrayOutputStream.write(securityParameters.clientRandom);
        byteArrayOutputStream.write(securityParameters.serverRandom);
        TlsUtils.writeOpaque24(tlsCertificate.getEncoded(), byteArrayOutputStream);
        return byteArrayOutputStream.toByteArray();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] generateCertificateVerify(TlsContext tlsContext, TlsCredentialedSigner tlsCredentialedSigner, TlsStreamSigner tlsStreamSigner, TlsHandshakeHash tlsHandshakeHash) throws IOException {
        return tlsCredentialedSigner.generateRawSignature(tlsHandshakeHash.getFinalHash((short) 7));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void verifyCertificateVerify(TlsContext tlsContext, CertificateRequest certificateRequest, Certificate certificate, ByteArrayInputStream byteArrayInputStream, TlsHandshakeHash tlsHandshakeHash) throws IOException {
        boolean verifyRawSignature = certificate.getCertificateAt(0).createVerifier((short) 4).verifyRawSignature(new DigitallySigned(new SignatureAndHashAlgorithm((short) 7, (short) 4), TlsUtils.readOpaque16(byteArrayInputStream)), tlsHandshakeHash.getFinalHash((short) 7));
        if (verifyRawSignature) {
            return;
        }
        logger.error("verifyCertificateVerify verified: {}" + verifyRawSignature);
        throw new TlsFatalAlert((short) 51);
    }
}
