package org.bouncycastle.tls;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.util.Vector;
import org.bouncycastle.tls.crypto.TlsCertificate;
import org.bouncycastle.tls.crypto.TlsCryptoParameters;
import org.bouncycastle.tls.crypto.TlsECConfig;
import org.bouncycastle.tls.crypto.TlsSecret;
import org.bouncycastle.tls.crypto.TlsVerifier;
import org.bouncycastle.tls.crypto.impl.bc.BcDefaultTlsCredentialedECCSM2;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/gmssl-jsse-provider-1.3.4-SNAPSHOT.jar:org/bouncycastle/tls/TlsECCSM2KeyExchange.class */
public class TlsECCSM2KeyExchange extends AbstractTlsKeyExchange {
    private Logger logger;
    protected TlsCertificate peerCertificate;
    public BcDefaultTlsCredentialedECCSM2 serverCredentials;
    protected TlsCertificate encryptionCertificate;
    protected TlsVerifier verifier;
    protected TlsSecret preMasterSecret;

    public TlsECCSM2KeyExchange(int i, Vector vector, TlsECConfigVerifier tlsECConfigVerifier, short[] sArr, short[] sArr2) {
        this(i, vector, tlsECConfigVerifier, null, sArr, sArr2);
    }

    public TlsECCSM2KeyExchange(int i, Vector vector, TlsECConfig tlsECConfig, short[] sArr) {
        this(i, vector, null, tlsECConfig, null, sArr);
    }

    private TlsECCSM2KeyExchange(int i, Vector vector, TlsECConfigVerifier tlsECConfigVerifier, TlsECConfig tlsECConfig, short[] sArr, short[] sArr2) {
        super(i, vector);
        this.logger = LoggerFactory.getLogger(getClass());
        this.serverCredentials = null;
        this.verifier = null;
    }

    @Override // org.bouncycastle.tls.TlsKeyExchange
    public void skipServerCredentials() throws IOException {
        throw new TlsFatalAlert((short) 80);
    }

    @Override // org.bouncycastle.tls.AbstractTlsKeyExchange, org.bouncycastle.tls.TlsKeyExchange
    public void processServerCredentials(TlsCredentials tlsCredentials) throws IOException {
        if (!(tlsCredentials instanceof BcDefaultTlsCredentialedECCSM2)) {
            throw new TlsFatalAlert((short) 80);
        }
        this.serverCredentials = (BcDefaultTlsCredentialedECCSM2) tlsCredentials;
        this.encryptionCertificate = this.serverCredentials.getEncryptionCertificate();
    }

    @Override // org.bouncycastle.tls.AbstractTlsKeyExchange, org.bouncycastle.tls.TlsKeyExchange
    public void processServerCertificate(Certificate certificate) throws IOException {
        if (certificate.isEmpty()) {
            this.logger.error("processServerCertificate server cert is empty, alert bad_certificate");
            throw new TlsFatalAlert((short) 42);
        }
        checkServerCertSigAlg(certificate);
        this.encryptionCertificate = GMSSLUtils.getEncryptionCertificate(certificate);
        this.verifier = GMSSLUtils.getSignatureCertificate(certificate).createVerifier(TlsUtils.getSignatureAlgorithm(this.keyExchange));
    }

    @Override // org.bouncycastle.tls.AbstractTlsKeyExchange, org.bouncycastle.tls.TlsKeyExchange
    public boolean requiresServerKeyExchange() {
        return true;
    }

    @Override // org.bouncycastle.tls.AbstractTlsKeyExchange, org.bouncycastle.tls.TlsKeyExchange
    public byte[] generateServerKeyExchange() throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        TlsUtils.writeOpaque16(GMSSLUtils.generateECCSM2ServerKeyExchangeSignature(this.context, this.serverCredentials, this.encryptionCertificate), byteArrayOutputStream);
        return byteArrayOutputStream.toByteArray();
    }

    @Override // org.bouncycastle.tls.AbstractTlsKeyExchange, org.bouncycastle.tls.TlsKeyExchange
    public void processServerKeyExchange(InputStream inputStream) throws IOException {
        GMSSLUtils.verifyECCSM2ServerKeyExchangeSignature(this.context, this.verifier, new DigitallySigned(new SignatureAndHashAlgorithm((short) 7, (short) 4), TlsUtils.readOpaque16(inputStream)), this.encryptionCertificate);
    }

    @Override // org.bouncycastle.tls.AbstractTlsKeyExchange, org.bouncycastle.tls.TlsKeyExchange
    public short[] getClientCertificateTypes() {
        return new short[]{1, 64, 80};
    }

    @Override // org.bouncycastle.tls.TlsKeyExchange
    public void processClientCredentials(TlsCredentials tlsCredentials) throws IOException {
        if (!(tlsCredentials instanceof TlsCredentialedSigner)) {
            throw new TlsFatalAlert((short) 80);
        }
    }

    @Override // org.bouncycastle.tls.TlsKeyExchange
    public void generateClientKeyExchange(OutputStream outputStream) throws IOException {
        this.preMasterSecret = TlsUtils.generateEncryptedPreMasterSecret(this.context, this.encryptionCertificate, outputStream);
    }

    @Override // org.bouncycastle.tls.AbstractTlsKeyExchange, org.bouncycastle.tls.TlsKeyExchange
    public void processClientCertificate(Certificate certificate) throws IOException {
        if (certificate.isEmpty()) {
            this.logger.error("processClientCertificate client cert is empty, alert bad_certificate");
            throw new TlsFatalAlert((short) 42);
        }
        this.peerCertificate = GMSSLUtils.getSignatureCertificate(certificate);
    }

    @Override // org.bouncycastle.tls.AbstractTlsKeyExchange, org.bouncycastle.tls.TlsKeyExchange
    public void processClientKeyExchange(InputStream inputStream) throws IOException {
        this.preMasterSecret = this.serverCredentials.decrypt(new TlsCryptoParameters(this.context), TlsUtils.readOpaque16(inputStream));
    }

    @Override // org.bouncycastle.tls.TlsKeyExchange
    public TlsSecret generatePreMasterSecret() throws IOException {
        TlsSecret tlsSecret = this.preMasterSecret;
        this.preMasterSecret = null;
        return tlsSecret;
    }
}
